[JSC] DFG should respect node's strict flag
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] DFG should respect node's strict flag
4         https://bugs.webkit.org/show_bug.cgi?id=196617
5
6         Reviewed by Saam Barati.
7
8         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
9         (shouldEqual):
10         (makeUnwriteableUnconfigurableObject):
11         (runTest):
12         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
13         (shouldBe):
14         (shouldThrow):
15         (with.result):
16         (with.putValueStrict):
17         (with.putValueSloppy):
18
19 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
20
21         [JSC] isRope jump in StringSlice should not jump over register allocations
22         https://bugs.webkit.org/show_bug.cgi?id=196716
23
24         Reviewed by Saam Barati.
25
26         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
27         (foo.bar):
28         (foo):
29
30 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
31
32         [JSC] to_index_string should not assume incoming value is Uint32
33         https://bugs.webkit.org/show_bug.cgi?id=196713
34
35         Reviewed by Saam Barati.
36
37         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
38         (foo):
39
40 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
41
42         [JSC] Add more tests for r243966
43         https://bugs.webkit.org/show_bug.cgi?id=196711
44
45         Reviewed by Saam Barati.
46
47         Adding one more test for r243966 fix. The added test will not crash after r243966.
48
49         * stress/stress-cleared-calllinkinfo.js: Added.
50         (runNearStackLimit.t):
51         (runNearStackLimit):
52         (repeat):
53         (cls):
54         (let.item.of.array.runNearStackLimit):
55
56 2019-04-08  Saam Barati  <sbarati@apple.com>
57
58         WebAssembly.RuntimeError missing exception check
59         https://bugs.webkit.org/show_bug.cgi?id=196700
60         <rdar://problem/49693932>
61
62         Reviewed by Yusuke Suzuki.
63
64         * wasm/js-api/runtime-error-should-exception-check.js: Added.
65
66 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
67
68         Unreviewed, rolling in r243948 with test fix
69         https://bugs.webkit.org/show_bug.cgi?id=196486
70
71         * stress/arrow-function-and-use-strict-directive.js: Added.
72         * stress/arrow-function-syntax.js: Added.
73         (checkSyntax):
74         (checkSyntaxError):
75
76 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
77
78         Unreviewed, rolling out r243948.
79
80         Caused inspector/runtime/parse.html to fail
81
82         Reverted changeset:
83
84         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
85         https://bugs.webkit.org/show_bug.cgi?id=196486
86         https://trac.webkit.org/changeset/243948
87
88 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
89
90         Unreviewed, rolling out r243943.
91
92         Caused test262 failures.
93
94         Reverted changeset:
95
96         "[JSC] Filter DontEnum properties in
97         ProxyObject::getOwnPropertyNames()"
98         https://bugs.webkit.org/show_bug.cgi?id=176810
99         https://trac.webkit.org/changeset/243943
100
101 2019-04-07  Michael Saboff  <msaboff@apple.com>
102
103         REGRESSION (r243642): Crash in reddit.com page
104         https://bugs.webkit.org/show_bug.cgi?id=196684
105
106         Reviewed by Geoffrey Garen.
107
108         New regression test.
109
110         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
111
112 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
113
114         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
115         https://bugs.webkit.org/show_bug.cgi?id=196683
116
117         Reviewed by Saam Barati.
118
119         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
120         (foo):
121
122 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
123
124         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
125         https://bugs.webkit.org/show_bug.cgi?id=196582
126
127         Reviewed by Saam Barati.
128
129         * stress/add-overflow-check-with-three-same-registers.js: Added.
130         (foo):
131         (Number.prototype.valueOf):
132         (runWithNumber):
133
134 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
135
136         Unreviewed, rolling out r243665.
137
138         Caused iOS JSC tests to exit with an exception.
139
140         Reverted changeset:
141
142         "Assertion failed in JSC::createError"
143         https://bugs.webkit.org/show_bug.cgi?id=196305
144         https://trac.webkit.org/changeset/243665
145
146 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
147
148         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
149         https://bugs.webkit.org/show_bug.cgi?id=196486
150
151         Reviewed by Saam Barati.
152
153         * stress/arrow-function-and-use-strict-directive.js: Added.
154         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
155         (checkSyntax):
156         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
157
158 2019-04-05  Caitlin Potter  <caitp@igalia.com>
159
160         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
161         https://bugs.webkit.org/show_bug.cgi?id=176810
162
163         Reviewed by Saam Barati.
164
165         Add tests for the DontEnum filtering, and variations of other tests
166         take the DontEnum-filtering path.
167
168         * stress/proxy-own-keys.js:
169         (i.catch):
170         (set assert):
171         (set add):
172         (let.set new):
173         (get let):
174
175 2019-04-05  Caitlin Potter  <caitp@igalia.com>
176
177         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
178         https://bugs.webkit.org/show_bug.cgi?id=185211
179
180         Reviewed by Saam Barati.
181
182         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
183
184         This changes several assertions to expect a TypeError to be thrown (in some cases,
185         changing thee expected message).
186
187         * es6/Proxy_ownKeys_duplicates.js:
188         (handler):
189         (shouldThrow):
190         (test):
191         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
192         (shouldThrow):
193         * stress/proxy-own-keys.js:
194         (i.catch):
195         (assert):
196
197 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
198
199         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
200         https://bugs.webkit.org/show_bug.cgi?id=196631
201
202         Reviewed by Saam Barati.
203
204         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
205         (assert):
206         (test):
207         (foo):
208
209 2019-04-04  Saam Barati  <sbarati@apple.com>
210
211         Unreviewed. Make the test from r243906 catch the thrown exceptions.
212
213         * stress/inferred-types-regex-matches-array.js:
214
215 2019-04-04  Saam Barati  <sbarati@apple.com>
216
217         createRegExpMatchesArray does not respect inferred types
218         https://bugs.webkit.org/show_bug.cgi?id=193287
219
220         Reviewed by Yusuke Suzuki.
221
222         This checks in the test case for 193287. This issue was discovered by
223         Samuel GroƟ of Google Project Zero.
224
225         * stress/inferred-types-regex-matches-array.js: Added.
226
227 2019-04-04  Saam barati  <sbarati@apple.com>
228
229         Teach Call ICs how to call Wasm
230         https://bugs.webkit.org/show_bug.cgi?id=196387
231
232         Reviewed by Filip Pizlo.
233
234         * wasm/function-tests/stack-trace.js:
235
236 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
237
238         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
239         https://bugs.webkit.org/show_bug.cgi?id=194944
240
241         Reviewed by Keith Miller.
242
243         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
244
245 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
246
247         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
248         https://bugs.webkit.org/show_bug.cgi?id=196409
249
250         Reviewed by Saam Barati.
251
252         * stress/bytecode-cache-cached-string-impl.js: Added.
253         (f):
254         (g):
255         * stress/bytecode-cache-run-string.js: Added.
256
257 2019-04-03  Robin Morisset  <rmorisset@apple.com>
258
259         B3 should use associativity to optimize expression trees
260         https://bugs.webkit.org/show_bug.cgi?id=194081
261
262         Reviewed by Filip Pizlo.
263
264         Added three microbenchmarks:
265         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
266         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
267           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
268         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
269
270         * microbenchmarks/add-tree.js: Added.
271         * microbenchmarks/bit-or-tree.js: Added.
272         * microbenchmarks/bit-xor-tree.js: Added.
273
274 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
275
276         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
277         https://bugs.webkit.org/show_bug.cgi?id=196574
278
279         Reviewed by Saam Barati.
280
281         * stress/string-index-of-exception-check.js: Added.
282         (blurType):
283         (1.forEach):
284
285 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
286
287         Assertion failed in JSC::createError
288         https://bugs.webkit.org/show_bug.cgi?id=196305
289         <rdar://problem/49387382>
290
291         Reviewed by Saam Barati.
292
293         * stress/create-error-out-of-memory-rope-string-2.js: Added.
294         (assert):
295         (catch):
296
297 2019-03-28  Saam Barati  <sbarati@apple.com>
298
299         BackwardsGraph needs to consider back edges as the backward's root successor
300         https://bugs.webkit.org/show_bug.cgi?id=195991
301
302         Reviewed by Filip Pizlo.
303
304         * stress/map-b3-licm-infinite-loop.js: Added.
305
306 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
307
308         CodeBlock::jettison() should disallow repatching its own calls
309         https://bugs.webkit.org/show_bug.cgi?id=196359
310         <rdar://problem/48973663>
311
312         Reviewed by Saam Barati.
313
314         * stress/call-link-info-osrexit-repatch.js: Added.
315         (foo):
316
317 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
318
319         [JSC] imports-oom.js intermittently fails
320         https://bugs.webkit.org/show_bug.cgi?id=196373
321
322         Reviewed by Saam Barati.
323
324         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
325         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
326         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
327         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
328         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
329
330         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
331         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
332
333         * wasm/lowExecutableMemory/imports-oom.js:
334
335 2019-03-27  Saam Barati  <sbarati@apple.com>
336
337         validateOSREntryValue with Int52 should box the value being checked into double format
338         https://bugs.webkit.org/show_bug.cgi?id=196313
339         <rdar://problem/49306703>
340
341         Reviewed by Yusuke Suzuki.
342
343         * stress/validate-int-52-ai-state.js: Added.
344
345 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
346
347         [JSC] Owner of watchpoints should validate at GC finalizing phase
348         https://bugs.webkit.org/show_bug.cgi?id=195827
349
350         Reviewed by Filip Pizlo.
351
352         * stress/gc-should-reap-dead-watchpoints.js: Added.
353         (foo):
354         (A.prototype.y):
355         (A):
356
357 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
358
359         Skip WebAssembly test on 32-bit systems
360         https://bugs.webkit.org/show_bug.cgi?id=196206
361
362         Reviewed by Saam Barati.
363
364         Invoking runDefault executes test immediately even though
365         that test should be skipped due to missing WASM support.
366         Therefore remove runDefault.
367
368         * wasm/regress/web-assembly-link-error-exception-check.js:
369
370 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
371
372         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
373         https://bugs.webkit.org/show_bug.cgi?id=196217
374
375         Reviewed by Saam Barati.
376
377         Re-enable all NaN tests for f32.min, f64.min and f64.max.
378
379         * wasm/spec-tests/f32.wast.js:
380         * wasm/spec-tests/f64.wast.js:
381         * wasm/wasm.json:
382
383 2019-03-25  Keith Miller  <keith_miller@apple.com>
384
385         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
386         https://bugs.webkit.org/show_bug.cgi?id=196176
387
388         Reviewed by Saam Barati.
389
390         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
391         (main.v10):
392         (main):
393
394 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
395
396         WebAssembly: f32.max with NaN generates incorrect result
397         https://bugs.webkit.org/show_bug.cgi?id=175691
398         <rdar://problem/33952228>
399
400         Reviewed by Saam Barati.
401
402         Enable all f32.max NaN tests
403
404         * wasm/spec-tests/f32.wast.js:
405         * wasm/wasm.json:
406
407 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
408
409         [JSC] Move test into directory for WASM tests
410         https://bugs.webkit.org/show_bug.cgi?id=196187
411
412         Reviewed by Mark Lam.
413
414         Move Test into wasm-directory. Otherwise this test
415         is also executed on systems without WASM support.
416
417         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
418
419 2019-03-23  Mark Lam  <mark.lam@apple.com>
420
421         Rolling out r243032 and r243071 because the fix is incorrect.
422         https://bugs.webkit.org/show_bug.cgi?id=195892
423         <rdar://problem/48981239>
424
425         Not reviewed.
426
427         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
428
429 2019-03-22  Mark Lam  <mark.lam@apple.com>
430
431         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
432         https://bugs.webkit.org/show_bug.cgi?id=196154
433         <rdar://problem/49145307>
434
435         Reviewed by Filip Pizlo.
436
437         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
438         There's no need to run this test on more than 1 test configuration.
439
440         * stress/typed-array-lastIndexOf-exception-check.js: Added.
441         * stress/web-assembly-link-error-exception-check.js:
442
443 2019-03-22  Mark Lam  <mark.lam@apple.com>
444
445         Placate exception check validation in constructJSWebAssemblyLinkError().
446         https://bugs.webkit.org/show_bug.cgi?id=196152
447         <rdar://problem/49145257>
448
449         Reviewed by Michael Saboff.
450
451         * stress/web-assembly-link-error-exception-check.js: Added.
452
453 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
454
455         Skip tests running out of memory on ARM/MIPS
456         https://bugs.webkit.org/show_bug.cgi?id=196131
457
458         Unreviewed. Skip test if memory is limited.
459
460         * microbenchmarks/put-by-val-direct-large-index.js:
461
462 2019-03-21  Mark Lam  <mark.lam@apple.com>
463
464         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
465         https://bugs.webkit.org/show_bug.cgi?id=196116
466         <rdar://problem/48976951>
467
468         Reviewed by Filip Pizlo.
469
470         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
471
472 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
473
474         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
475         https://bugs.webkit.org/show_bug.cgi?id=196078
476         <rdar://problem/35925380>
477
478         Reviewed by Mark Lam.
479
480         Add a new benchmark that allocates several objects and invokes put_by_val_direct
481         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
482
483         * microbenchmarks/put-by-val-direct-large-index.js: Added.
484
485 2019-03-21  Mark Lam  <mark.lam@apple.com>
486
487         Placate exception check validation in operationArrayIndexOfString().
488         https://bugs.webkit.org/show_bug.cgi?id=196067
489         <rdar://problem/49056572>
490
491         Reviewed by Michael Saboff.
492
493         * stress/string-equal-exception-check.js: Added.
494
495 2019-03-21  Mark Lam  <mark.lam@apple.com>
496
497         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
498         https://bugs.webkit.org/show_bug.cgi?id=196055
499         <rdar://problem/49067448>
500
501         Reviewed by Yusuke Suzuki.
502
503         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
504
505 2019-03-20  Saam Barati  <sbarati@apple.com>
506
507         typeOfDoubleSum is wrong for when NaN can be produced
508         https://bugs.webkit.org/show_bug.cgi?id=196030
509
510         Reviewed by Filip Pizlo.
511
512         * stress/double-add-sub-mul-can-produce-nan.js: Added.
513         (assert):
514         (noInline.sub):
515         (noInline):
516         (assert.mul):
517         (assert.add):
518
519 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
520
521         Update the test to ensure OutOfMemoryError is thrown as intended
522         https://bugs.webkit.org/show_bug.cgi?id=196032
523         <rdar://problem/46842740>
524
525         Rubber stamped by Saam Barati.
526
527         * stress/create-error-out-of-memory-rope-string.js:
528         (assert):
529         (catch):
530
531 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
532
533         JSC::createError needs to check for OOM in errorDescriptionForValue
534         https://bugs.webkit.org/show_bug.cgi?id=196032
535         <rdar://problem/46842740>
536
537         Reviewed by Mark Lam.
538
539         * stress/create-error-out-of-memory-rope-string.js: Added.
540
541 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
542
543         Unreviewed, reduce # of iterations to avoid timing out after r242991
544         https://bugs.webkit.org/show_bug.cgi?id=195791
545
546         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
547
548         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
549
550 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
551
552         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
553         https://bugs.webkit.org/show_bug.cgi?id=195950
554
555         Unreviewed, reducing the amount of memory used on this test to avoid
556         OOM on devices with memory restrictions.
557
558         * microbenchmarks/generate-multiple-llint-entrypoints.js:
559
560 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
561
562         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
563         https://bugs.webkit.org/show_bug.cgi?id=194648
564
565         Reviewed by Keith Miller.
566
567         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
568
569 2019-03-18  Mark Lam  <mark.lam@apple.com>
570
571         Missing a ThrowScope release in JSObject::toString().
572         https://bugs.webkit.org/show_bug.cgi?id=195893
573         <rdar://problem/48970986>
574
575         Reviewed by Michael Saboff.
576
577         * stress/to-string-exception-check-release.js: Added.
578
579 2019-03-18  Mark Lam  <mark.lam@apple.com>
580
581         Structure::flattenDictionary() should clear unused property slots.
582         https://bugs.webkit.org/show_bug.cgi?id=195871
583         <rdar://problem/48959497>
584
585         Reviewed by Michael Saboff.
586
587         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
588
589 2019-03-15  Mark Lam  <mark.lam@apple.com>
590
591         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
592         https://bugs.webkit.org/show_bug.cgi?id=195827
593         <rdar://problem/48845513>
594
595         Reviewed by Filip Pizlo.
596
597         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
598
599 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
600
601         [ARM,MIPS] Skip slow tests
602         https://bugs.webkit.org/show_bug.cgi?id=195799
603
604         Unreviewed, test does not finish on ARM and MIPS within the
605         timeout limit.
606
607         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
608
609 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
610
611         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
612         https://bugs.webkit.org/show_bug.cgi?id=195791
613         <rdar://problem/48806130>
614
615         Reviewed by Mark Lam.
616
617         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
618         (foo):
619
620 2019-03-14  Saam barati  <sbarati@apple.com>
621
622         We can't remove code after ForceOSRExit until after FixupPhase
623         https://bugs.webkit.org/show_bug.cgi?id=186916
624         <rdar://problem/41396612>
625
626         Reviewed by Yusuke Suzuki.
627
628         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
629         (foo):
630         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
631         (foo):
632
633 2019-03-13  Michael Saboff  <msaboff@apple.com>
634
635         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
636         https://bugs.webkit.org/show_bug.cgi?id=195735
637
638         Reviewed by Mark Lam.
639
640         New regression test.
641
642         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
643         (foo):
644         (bar):
645
646 2019-03-14  Saam barati  <sbarati@apple.com>
647
648         Fixup uses KnownInt32 incorrectly in some nodes
649         https://bugs.webkit.org/show_bug.cgi?id=195279
650         <rdar://problem/47915654>
651
652         Reviewed by Yusuke Suzuki.
653
654         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
655         (foo):
656
657 2019-03-14  Keith Miller  <keith_miller@apple.com>
658
659         DFG liveness can't skip tail caller inline frames
660         https://bugs.webkit.org/show_bug.cgi?id=195715
661
662         Reviewed by Saam Barati.
663
664         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
665         (i.foo):
666
667 2019-03-13  Mark Lam  <mark.lam@apple.com>
668
669         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
670         https://bugs.webkit.org/show_bug.cgi?id=195415
671
672         Not reviewed.
673
674         Changed these tests to only run the default configuration.
675         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
676         There's no strong need to run this test on that variant.
677
678         * stress/dfg-to-string-on-int-does-gc.js:
679         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
680
681 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
682
683         String overflow when using StringBuilder in JSC::createError
684         https://bugs.webkit.org/show_bug.cgi?id=194957
685
686         Reviewed by Mark Lam.
687
688         Add test string-overflow-createError-bulder.js that overflows
689         StringBuilder in notAFunctionSourceAppender. The second new test
690         string-overflow-createError-fit.js has an error message that doesn't
691         overflow, it still failed since the String's capacity can't be doubled.
692         Run test string-overflow-createError.js only in the default
693         configuration to reduce memory consumption when running the test
694         in all configurations on multiple CPUs in parallel.
695
696         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
697         (catch):
698         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
699         (catch):
700         * stress/string-overflow-createError.js:
701
702 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
703
704         [JSC] OSR entry should respect abstract values in addition to flush formats
705         https://bugs.webkit.org/show_bug.cgi?id=195653
706
707         Reviewed by Mark Lam.
708
709         * stress/osr-entry-locals-none.js: Added.
710
711 2019-03-12  Michael Saboff  <msaboff@apple.com>
712
713         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
714         https://bugs.webkit.org/show_bug.cgi?id=195613
715
716         Reviewed by Mark Lam.
717
718         New regression test.
719
720         * stress/regexp-backref-inbounds.js: Added.
721         (testRegExp):
722
723 2019-03-12  Mark Lam  <mark.lam@apple.com>
724
725         The HasIndexedProperty node does GC.
726         https://bugs.webkit.org/show_bug.cgi?id=195559
727         <rdar://problem/48767923>
728
729         Reviewed by Yusuke Suzuki.
730
731         * stress/HasIndexedProperty-does-gc.js: Added.
732
733 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
734
735         [ESNext][BigInt] Implement "~" unary operation
736         https://bugs.webkit.org/show_bug.cgi?id=182216
737
738         Reviewed by Keith Miller.
739
740         * stress/big-int-bit-not-general.js: Added.
741         * stress/big-int-bitwise-not-jit.js: Added.
742         * stress/big-int-bitwise-not-wrapped-value.js: Added.
743         * stress/bit-op-with-object-returning-int32.js:
744         * stress/bitwise-not-fixup-rules.js: Added.
745         * stress/value-bit-not-ai-rule.js: Added.
746
747 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
748
749         Invalid flags in a RegExp literal should be an early SyntaxError
750         https://bugs.webkit.org/show_bug.cgi?id=195514
751
752         Reviewed by Darin Adler.
753
754         * test262/expectations.yaml:
755         Mark 4 test cases as passing.
756
757         * stress/regexp-syntax-error-invalid-flags.js:
758         * stress/regress-161995.js: Removed.
759         Update existing test, merging in an older test for the same behavior.
760
761 2019-03-08  Mark Lam  <mark.lam@apple.com>
762
763         Stack overflow crash in JSC::JSObject::hasInstance.
764         https://bugs.webkit.org/show_bug.cgi?id=195458
765         <rdar://problem/48710195>
766
767         Reviewed by Yusuke Suzuki.
768
769         * stress/stack-overflow-in-custom-hasInstance.js: Added.
770
771 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
772
773         op_check_tdz does not def its argument
774         https://bugs.webkit.org/show_bug.cgi?id=192880
775         <rdar://problem/46221598>
776
777         Reviewed by Saam Barati.
778
779         * microbenchmarks/let-for-in.js: Added.
780         (foo):
781
782 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
783
784         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
785         https://bugs.webkit.org/show_bug.cgi?id=195429
786
787         Reviewed by Saam Barati.
788
789         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
790         (foo):
791         * stress/string-from-char-code-255.js: Added.
792
793 2019-03-06  Mark Lam  <mark.lam@apple.com>
794
795         Fix incorrect handling of try-finally completion values.
796         https://bugs.webkit.org/show_bug.cgi?id=195131
797         <rdar://problem/46222079>
798
799         Reviewed by Saam Barati and Yusuke Suzuki.
800
801         Added many permutations of new test case to test-finally.js.  test-finally.js has
802         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
803         tests passes there as well.
804
805         * stress/test-finally.js:
806
807 2019-03-06  Saam Barati  <sbarati@apple.com>
808
809         Air::reportUsedRegisters must padInterference
810         https://bugs.webkit.org/show_bug.cgi?id=195303
811         <rdar://problem/48270343>
812
813         Reviewed by Keith Miller.
814
815         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
816
817 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] AI should not propagate AbstractValue relying on constant folding phase
820         https://bugs.webkit.org/show_bug.cgi?id=195375
821
822         Reviewed by Saam Barati.
823
824         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
825         (let.array):
826
827 2019-03-05  Saam barati  <sbarati@apple.com>
828
829         op_switch_char broken for rope strings after JSRopeString layout rewrite
830         https://bugs.webkit.org/show_bug.cgi?id=195339
831         <rdar://problem/48592545>
832
833         Reviewed by Yusuke Suzuki.
834
835         * stress/switch-on-char-llint-rope.js: Added.
836
837 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
838
839         [JSC] Store bits for JSRopeString in 3 stores
840         https://bugs.webkit.org/show_bug.cgi?id=195234
841
842         Reviewed by Saam Barati.
843
844         * stress/null-rope-and-collectors.js: Added.
845
846 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
847
848         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
849         https://bugs.webkit.org/show_bug.cgi?id=195207
850
851         Unreviewed. After test runtime was reduced in r242213, test can be
852         run again on ARM/MIPS.
853
854         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
855
856 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
857
858         [JSC] sizeof(JSString) should be 16
859         https://bugs.webkit.org/show_bug.cgi?id=194375
860
861         Reviewed by Saam Barati.
862
863         * microbenchmarks/make-rope.js: Added.
864         (makeRope):
865         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
866         (returnRope.helper): Deleted.
867         (returnRope): Deleted.
868
869 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
870
871         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
872         https://bugs.webkit.org/show_bug.cgi?id=195144
873
874         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
875         Change the number from 1e8 to 1e5.
876
877         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
878         (foo):
879
880 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
881
882         Test times out on ARM/MIPS
883         https://bugs.webkit.org/show_bug.cgi?id=195168
884
885         Unreviewed. Skip test on ARM/MIPS.
886
887         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
888
889 2019-02-27  Mark Lam  <mark.lam@apple.com>
890
891         The parser is failing to record the token location of new in new.target.
892         https://bugs.webkit.org/show_bug.cgi?id=195127
893         <rdar://problem/39645578>
894
895         Reviewed by Yusuke Suzuki.
896
897         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
898
899 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
900
901         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
902         https://bugs.webkit.org/show_bug.cgi?id=195144
903         <rdar://problem/47595961>
904
905         Reviewed by Mark Lam.
906
907         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
908         (bar):
909         (foo):
910         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
911         (bar):
912         (foo):
913
914 2019-02-27  Robin Morisset  <rmorisset@apple.com>
915
916         DFG: Loop-invariant code motion (LICM) should not hoist dead code
917         https://bugs.webkit.org/show_bug.cgi?id=194945
918         <rdar://problem/48311657>
919
920         Reviewed by Mark Lam.
921
922         * stress/licm-dead-code.js: Added.
923
924 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
925
926         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
927         https://bugs.webkit.org/show_bug.cgi?id=194677
928         <rdar://problem/48112492>
929
930         Reviewed by Mark Lam.
931
932         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
933         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
934         it immediately fails due the large size.
935
936         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
937         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
938         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
939         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
940
941         This patch changes the test to produce 16bit string from String.fromCharCode.
942
943         * stress/regress-178386.js:
944
945 2019-02-26  Mark Lam  <mark.lam@apple.com>
946
947         wasmToJS() should purify incoming NaNs.
948         https://bugs.webkit.org/show_bug.cgi?id=194807
949         <rdar://problem/48189132>
950
951         Reviewed by Saam Barati.
952
953         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
954
955 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
956
957         [JSC] Repeat string created from Array.prototype.join() take too much memory
958         https://bugs.webkit.org/show_bug.cgi?id=193912
959
960         Reviewed by Saam Barati.
961
962         Added a test and a microbenchmark for corner cases of
963         Array.prototype.join() with an uninitialized array.
964
965         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
966         * stress/array-prototype-join-uninitialized.js: Added.
967         (testArray):
968         (testABC):
969         (B):
970         (C):
971
972 2019-02-22  Robin Morisset  <rmorisset@apple.com>
973
974         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
975         https://bugs.webkit.org/show_bug.cgi?id=194953
976         <rdar://problem/47595253>
977
978         Reviewed by Saam Barati.
979
980         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
981
982         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
983
984 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
985
986         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
987         https://bugs.webkit.org/show_bug.cgi?id=172848
988         <rdar://problem/25709212>
989
990         Reviewed by Mark Lam.
991
992         * typeProfiler/inheritance.js:
993         Rewrite the test slightly for clarity. The hoisting was confusing.
994
995         * heapProfiler/class-names.js: Added.
996         (MyES5Class):
997         (MyES6Class):
998         (MyES6Subclass):
999         Test object types and improved class names.
1000
1001         * heapProfiler/driver/driver.js:
1002         (CheapHeapSnapshotNode):
1003         (CheapHeapSnapshot):
1004         (createCheapHeapSnapshot):
1005         (HeapSnapshot):
1006         (createHeapSnapshot):
1007         Update snapshot parsing from version 1 to version 2.
1008
1009 2019-02-19  Truitt Savell  <tsavell@apple.com>
1010
1011         Unreviewed, rolling out r241784.
1012
1013         Broke all OpenSource builds.
1014
1015         Reverted changeset:
1016
1017         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1018         instances view"
1019         https://bugs.webkit.org/show_bug.cgi?id=172848
1020         https://trac.webkit.org/changeset/241784
1021
1022 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1023
1024         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1025         https://bugs.webkit.org/show_bug.cgi?id=172848
1026         <rdar://problem/25709212>
1027
1028         Reviewed by Mark Lam.
1029
1030         * typeProfiler/inheritance.js:
1031         Rewrite the test slightly for clarity. The hoisting was confusing.
1032
1033         * heapProfiler/class-names.js: Added.
1034         (MyES5Class):
1035         (MyES6Class):
1036         (MyES6Subclass):
1037         Test object types and improved class names.
1038
1039         * heapProfiler/driver/driver.js:
1040         (CheapHeapSnapshotNode):
1041         (CheapHeapSnapshot):
1042         (createCheapHeapSnapshot):
1043         (HeapSnapshot):
1044         (createHeapSnapshot):
1045         Update snapshot parsing from version 1 to version 2.
1046
1047 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1048
1049         [ARM] Fix crash with sampling profiler
1050         https://bugs.webkit.org/show_bug.cgi?id=194772
1051
1052         Reviewed by Mark Lam.
1053
1054         Do not skip test since crash with sampling profiler is now fixed.
1055
1056         * stress/sampling-profiler-richards.js:
1057
1058 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1059
1060         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1061         https://bugs.webkit.org/show_bug.cgi?id=194784
1062         <rdar://problem/48154820>
1063
1064         Reviewed by Mark Lam.
1065
1066         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1067         (getProperties):
1068         (getRandomProperty):
1069         (i.catch):
1070
1071 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1072
1073         [ARM] Test gardening: Test running out of executable memory
1074         https://bugs.webkit.org/show_bug.cgi?id=194771
1075
1076         Unreviewed. Do not run test without LLInt, test is running out of executable
1077         memory on ARM otherwise.
1078
1079         * stress/tagged-template-object-collect.js:
1080
1081 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1082
1083         Unreviewed, skip the test on platforms without sampling profiler
1084
1085         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1086         (platformSupportsSamplingProfiler.foo):
1087         (platformSupportsSamplingProfiler.test):
1088         (platformSupportsSamplingProfiler):
1089         (foo): Deleted.
1090         (test): Deleted.
1091
1092 2019-02-17  Saam Barati  <sbarati@apple.com>
1093
1094         Deadlock when adding a Structure property transition and then doing incremental marking
1095         https://bugs.webkit.org/show_bug.cgi?id=194767
1096
1097         Reviewed by Mark Lam.
1098
1099         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1100
1101 2019-02-15  Michael Saboff  <msaboff@apple.com>
1102
1103         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1104         https://bugs.webkit.org/show_bug.cgi?id=194558
1105
1106         Reviewed by Saam Barati.
1107
1108         New regression test.
1109
1110         * stress/regexp-unicode-within-string.js: Added.
1111
1112 2019-02-15  Mark Lam  <mark.lam@apple.com>
1113
1114         SamplingProfiler::stackTracesAsJSON() should escape strings.
1115         https://bugs.webkit.org/show_bug.cgi?id=194649
1116         <rdar://problem/48072386>
1117
1118         Reviewed by Saam Barati.
1119
1120         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1121         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1122         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1123         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1124
1125 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1126         CodeBlock::jettison should clear related watchpoints
1127         https://bugs.webkit.org/show_bug.cgi?id=194544
1128
1129         Reviewed by Mark Lam.
1130
1131         * stress/regexp-replace-double-watchpoint.js: Added.
1132         (foo):
1133
1134 2019-02-15  Saam barati  <sbarati@apple.com>
1135
1136         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1137         https://bugs.webkit.org/show_bug.cgi?id=194036
1138
1139         Reviewed by Yusuke Suzuki.
1140
1141         * stress/tail-call-many-arguments.js: Added.
1142         (foo):
1143         (bar):
1144
1145 2019-02-14  Saam Barati  <sbarati@apple.com>
1146
1147         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1148         https://bugs.webkit.org/show_bug.cgi?id=194583
1149         <rdar://problem/48028140>
1150
1151         Reviewed by Yusuke Suzuki.
1152
1153         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1154
1155 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1156
1157         [JSC] String.fromCharCode's slow path always generates 16bit string
1158         https://bugs.webkit.org/show_bug.cgi?id=194466
1159
1160         Reviewed by Keith Miller.
1161
1162         * stress/string-from-char-code-slow-path.js: Added.
1163         (shouldBe):
1164         (testWithLength):
1165
1166 2019-02-08  Saam barati  <sbarati@apple.com>
1167
1168         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1169         https://bugs.webkit.org/show_bug.cgi?id=194334
1170         <rdar://problem/47844327>
1171
1172         Reviewed by Mark Lam.
1173
1174         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1175         (func):
1176
1177 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1178
1179         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1180         https://bugs.webkit.org/show_bug.cgi?id=194369
1181         <rdar://problem/47813087>
1182
1183         Reviewed by Saam Barati.
1184
1185         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1186         (A):
1187
1188 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1189
1190         [JSC] PrivateName to PublicName hash table is wasteful
1191         https://bugs.webkit.org/show_bug.cgi?id=194277
1192
1193         Reviewed by Michael Saboff.
1194
1195         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1196
1197         * ChakraCore.yaml:
1198
1199 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1200
1201         [ARM] Test running out of executable memory
1202         https://bugs.webkit.org/show_bug.cgi?id=194285
1203
1204         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1205         executable memory otherwise.
1206
1207         * stress/class-subclassing-function.js:
1208
1209 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1210
1211         when lowering AssertNotEmpty, create the value before creating the patchpoint
1212         https://bugs.webkit.org/show_bug.cgi?id=194231
1213
1214         Reviewed by Saam Barati.
1215
1216         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1217         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1218         So even tiny changes to this test can change the path code taken.
1219
1220         * stress/assert-not-empty.js: Added.
1221         (foo):
1222
1223 2019-02-01  Mark Lam  <mark.lam@apple.com>
1224
1225         Remove invalid assertion in DFG's compileDoubleRep().
1226         https://bugs.webkit.org/show_bug.cgi?id=194130
1227         <rdar://problem/47699474>
1228
1229         Reviewed by Saam Barati.
1230
1231         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1232
1233 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1234
1235         Import latest Test262 updates.
1236
1237         Rubber-stamped by Keith Miller.
1238
1239         * test262.yaml: Deleted.
1240         * test262/config.yaml:
1241         * test262/expectations.yaml:
1242         * test262/latest-changes-summary.txt:
1243         * test262/test/:
1244         * test262/test262-Revision.txt:
1245
1246 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1247
1248         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1249         https://bugs.webkit.org/show_bug.cgi?id=194050
1250         <rdar://problem/47595592>
1251
1252         Reviewed by Yusuke Suzuki.
1253
1254         * stress/object-keys-osr-exit.js: Added.
1255         (foo):
1256         (catch):
1257
1258 2019-01-29  Mark Lam  <mark.lam@apple.com>
1259
1260         ValueRecovery::recover() should purify NaN values it recovers.
1261         https://bugs.webkit.org/show_bug.cgi?id=193978
1262         <rdar://problem/47625488>
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1267
1268 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1269
1270         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1271         https://bugs.webkit.org/show_bug.cgi?id=193713
1272
1273         * stress/try-get-by-id-should-spill-registers-dfg.js:
1274         (let.f.createBuiltin):
1275
1276 2019-01-28  Mark Lam  <mark.lam@apple.com>
1277
1278         ToString node actually does GC.
1279         https://bugs.webkit.org/show_bug.cgi?id=193920
1280         <rdar://problem/46695900>
1281
1282         Reviewed by Yusuke Suzuki.
1283
1284         * stress/dfg-to-string-on-int-does-gc.js: Added.
1285         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1286         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1287
1288 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1289
1290         [JSC] NativeErrorConstructor should not have own IsoSubspace
1291         https://bugs.webkit.org/show_bug.cgi?id=193713
1292
1293         Reviewed by Saam Barati.
1294
1295         Remove @Error use.
1296
1297         * stress/try-get-by-id-should-spill-registers-dfg.js:
1298         (let.f.createBuiltin):
1299
1300 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1301
1302         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1303         https://bugs.webkit.org/show_bug.cgi?id=190693
1304
1305         Reviewed by Michael Saboff.
1306
1307         * stress/regress-190693.js: Added.
1308         (truth):
1309         (assert):
1310         (shouldThrowInvalidConstAssignment):
1311         (taz):
1312
1313 2019-01-24  Saam Barati  <sbarati@apple.com>
1314
1315         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1316         https://bugs.webkit.org/show_bug.cgi?id=193751
1317         <rdar://problem/47280215>
1318
1319         Reviewed by Michael Saboff.
1320
1321         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1322         (let.thing):
1323         (foo.let.hello):
1324         (foo):
1325
1326 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1327
1328         [JSC] Reenable baseline JIT on mips
1329         https://bugs.webkit.org/show_bug.cgi?id=192983
1330
1331         Reviewed by Mark Lam.
1332
1333         Added a new test for a case that was triggering a RELEASE_ASSERT when
1334         testing.
1335         Disable some slow tests that were already disabled for arm and x86.
1336
1337         * stress/json-parse-big-object.js: Added.
1338         * stress/new-largeish-contiguous-array-with-size.js:
1339         * stress/op_add.js:
1340         * stress/op_bitand.js:
1341         * stress/op_bitor.js:
1342         * stress/op_bitxor.js:
1343         * stress/op_lshift-ConstVar.js:
1344         * stress/op_lshift-VarConst.js:
1345         * stress/op_lshift-VarVar.js:
1346         * stress/op_mod-ConstVar.js:
1347         * stress/op_mod-VarConst.js:
1348         * stress/op_mod-VarVar.js:
1349         * stress/op_mul-ConstVar.js:
1350         * stress/op_mul-VarConst.js:
1351         * stress/op_mul-VarVar.js:
1352         * stress/op_rshift-ConstVar.js:
1353         * stress/op_rshift-VarConst.js:
1354         * stress/op_rshift-VarVar.js:
1355         * stress/op_sub-ConstVar.js:
1356         * stress/op_sub-VarConst.js:
1357         * stress/op_sub-VarVar.js:
1358         * stress/op_urshift-ConstVar.js:
1359         * stress/op_urshift-VarConst.js:
1360         * stress/op_urshift-VarVar.js:
1361         * stress/sampling-profiler-richards.js:
1362         * stress/spread-forward-call-varargs-stack-overflow.js:
1363
1364 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1365
1366         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1367         https://bugs.webkit.org/show_bug.cgi?id=193711
1368         <rdar://problem/47250262>
1369
1370         Reviewed by Saam Barati.
1371
1372         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1373         (shouldBe):
1374         (foo):
1375         (bar):
1376         (baz):
1377
1378 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         Unreviewed, fix initial global lexical binding epoch
1381         https://bugs.webkit.org/show_bug.cgi?id=193603
1382         <rdar://problem/47380869>
1383
1384         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1385         (f1.f2.f3.f4):
1386         (f1.f2.f3):
1387         (f1.f2):
1388         (f1):
1389
1390 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1391
1392         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1393         https://bugs.webkit.org/show_bug.cgi?id=193709
1394         <rdar://problem/47363838>
1395
1396         Unreviewed, rollout to watch the tests.
1397
1398         * stress/object-tostring-changed-proto.js: Removed.
1399         * stress/object-tostring-changed.js: Removed.
1400         * stress/object-tostring-misc.js: Removed.
1401         * stress/object-tostring-other.js: Removed.
1402         * stress/object-tostring-untyped.js: Removed.
1403
1404 2019-01-22  Saam Barati  <sbarati@apple.com>
1405
1406         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1407
1408         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1409         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1410         (testUncheckedLessThanZero):
1411         (testUncheckedLessThanOrEqualZero):
1412         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1413         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1414
1415 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1416
1417         [JSC] Invalidate old scope operations using global lexical binding epoch
1418         https://bugs.webkit.org/show_bug.cgi?id=193603
1419         <rdar://problem/47380869>
1420
1421         Reviewed by Saam Barati.
1422
1423         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1424         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1425         (shouldThrow):
1426         (bar):
1427         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1428         (shouldBe):
1429         (get1):
1430         (get2):
1431         (get1If):
1432         (get2If):
1433         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1434         (shouldThrow):
1435         (foo):
1436
1437 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1438
1439         Unreviewed, roll out r240220 due to date-format-xparb regression
1440         https://bugs.webkit.org/show_bug.cgi?id=193603
1441
1442         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1443         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1444         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1445         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1446
1447 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1448
1449         DoesGC rule is wrong for nodes with BigIntUse
1450         https://bugs.webkit.org/show_bug.cgi?id=193652
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/big-int-value-op-update-gc-rules.js: Added.
1455         (assert):
1456         (doesGCAdd):
1457         (doesGCSub):
1458         (doesGCDiv):
1459         (doesGCMul):
1460         (doesGCBitAnd):
1461         (doesGCBitOr):
1462         (doesGCBitXor):
1463
1464 2019-01-20  Saam Barati  <sbarati@apple.com>
1465
1466         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1467         https://bugs.webkit.org/show_bug.cgi?id=193644
1468         <rdar://problem/46209745>
1469
1470         Reviewed by Yusuke Suzuki.
1471
1472         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1473         (foo):
1474         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1475         (foo):
1476         (bar):
1477
1478 2019-01-20  Saam Barati  <sbarati@apple.com>
1479
1480         MovHint must merge NodeBytecodeUsesAsValue for its child
1481         https://bugs.webkit.org/show_bug.cgi?id=186916
1482         <rdar://problem/41396612>
1483
1484         Reviewed by Yusuke Suzuki.
1485
1486         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1487         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1488
1489 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1490
1491         [JSC] Invalidate old scope operations using global lexical binding epoch
1492         https://bugs.webkit.org/show_bug.cgi?id=193603
1493         <rdar://problem/47380869>
1494
1495         Reviewed by Saam Barati.
1496
1497         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1498         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1499         (shouldThrow):
1500         (bar):
1501         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1502         (shouldBe):
1503         (get1):
1504         (get2):
1505         (get1If):
1506         (get2If):
1507         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1508         (shouldThrow):
1509         (foo):
1510
1511 2019-01-17  Saam barati  <sbarati@apple.com>
1512
1513         StringObjectUse should not be a structure check for the original string object structure
1514         https://bugs.webkit.org/show_bug.cgi?id=193483
1515         <rdar://problem/47280522>
1516
1517         Reviewed by Yusuke Suzuki.
1518
1519         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1520         (foo):
1521         (a.valueOf.0):
1522
1523 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1524
1525         [JSC] ToThis omission in DFGByteCodeParser is wrong
1526         https://bugs.webkit.org/show_bug.cgi?id=193513
1527         <rdar://problem/45842236>
1528
1529         Reviewed by Saam Barati.
1530
1531         * stress/to-this-omission-with-different-strict-modes.js: Added.
1532         (thisA):
1533         (thisAStrictWrapper):
1534
1535 2019-01-15  Mark Lam  <mark.lam@apple.com>
1536
1537         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1538         https://bugs.webkit.org/show_bug.cgi?id=193423
1539         <rdar://problem/46209355>
1540
1541         Reviewed by Saam Barati.
1542
1543         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1544         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1545         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1546         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1547
1548 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1549
1550         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1551         https://bugs.webkit.org/show_bug.cgi?id=193438
1552         <rdar://problem/45581249>
1553
1554         Reviewed by Saam Barati and Keith Miller.
1555
1556         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1557         Then, GetByVal(String) crashed.
1558
1559         * stress/string-get-by-val-lowering.js: Added.
1560         (shouldBe):
1561         (test):
1562         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1563         (Hello):
1564         (foo):
1565
1566 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1567
1568         Unreviewed, skip JIT tests if it's not enabled
1569
1570         * stress/bit-op-with-object-returning-int32.js:
1571
1572 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1573
1574         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1575         https://bugs.webkit.org/show_bug.cgi?id=192966
1576
1577         Reviewed by Yusuke Suzuki.
1578
1579         * stress/bit-op-with-object-returning-int32.js: Added.
1580
1581 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1582
1583         Skip a slow test and a flakey test on arm
1584
1585         Unreviewed gardening.
1586
1587         * typeProfiler/getter-richards.js:
1588         this test always times out, it used to be always skipped on arm and
1589         mips, but got accidentally enabled by r237919 now that we have DFG on
1590         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1591
1592 2019-01-14  Keith Miller  <keith_miller@apple.com>
1593
1594         Skip type-check-hoisting-phase-hoist... with no jit
1595         https://bugs.webkit.org/show_bug.cgi?id=193421
1596
1597         Reviewed by Mark Lam.
1598
1599         It's timing out the 32-bit bots and takes 330 seconds
1600         on my machine when run by itself.
1601
1602         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1603
1604 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1605
1606         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1607         https://bugs.webkit.org/show_bug.cgi?id=193413
1608         <rdar://problem/46092389>
1609
1610         Reviewed by Keith Miller.
1611
1612         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1613         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1614         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1615         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1616
1617         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1618         (compareArray):
1619
1620 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1621
1622         [BigInt] Literal parsing is crashing when used inside a Object Literal
1623         https://bugs.webkit.org/show_bug.cgi?id=193404
1624
1625         Reviewed by Yusuke Suzuki.
1626
1627         * stress/big-int-literal-inside-literal-object.js: Added.
1628
1629 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1630
1631         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1632         https://bugs.webkit.org/show_bug.cgi?id=193372
1633
1634         Reviewed by Saam Barati.
1635
1636         * stress/typed-array-array-modes-profile.js: Added.
1637         (foo):
1638
1639 2019-01-14  Mark Lam  <mark.lam@apple.com>
1640
1641         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1642         https://bugs.webkit.org/show_bug.cgi?id=193402
1643         <rdar://problem/46012309>
1644
1645         Reviewed by Keith Miller.
1646
1647         * stress/regexp-compile-oom.js:
1648         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1649           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1650
1651 2019-01-11  Saam barati  <sbarati@apple.com>
1652
1653         DFG combined liveness can be wrong for terminal basic blocks
1654         https://bugs.webkit.org/show_bug.cgi?id=193304
1655         <rdar://problem/45268632>
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1660
1661 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1662
1663         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1664         https://bugs.webkit.org/show_bug.cgi?id=193308
1665         <rdar://problem/45546542>
1666
1667         Reviewed by Saam Barati.
1668
1669         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1670         (shouldThrow):
1671         (shouldBe):
1672         (foo):
1673         (get shouldThrow):
1674         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1675         (shouldThrow):
1676         (shouldBe):
1677         (foo):
1678         (get shouldBe):
1679         (get shouldThrow):
1680         (get return):
1681         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1682         (shouldThrow):
1683         (shouldBe):
1684         (foo):
1685         (get shouldBe):
1686         (get shouldThrow):
1687         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1688         (shouldThrow):
1689         (shouldBe):
1690         (foo):
1691         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1692         (shouldThrow):
1693         (shouldBe):
1694         (foo):
1695         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1696         (shouldThrow):
1697         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1698         (shouldThrow):
1699         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1700         (shouldThrow):
1701         (shouldBe):
1702         (foo):
1703         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1704         (shouldThrow):
1705         (shouldBe):
1706         (foo):
1707         (get shouldBe):
1708         (get shouldThrow):
1709         (get return):
1710         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1711         (shouldThrow):
1712         (shouldBe):
1713         (foo):
1714         (get shouldBe):
1715         (get shouldThrow):
1716         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1717         (shouldThrow):
1718         (shouldBe):
1719         (foo):
1720         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1721         (shouldThrow):
1722         (shouldBe):
1723         (foo):
1724
1725 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1726
1727         Enable DFG on ARM/Linux again
1728         https://bugs.webkit.org/show_bug.cgi?id=192496
1729
1730         Reviewed by Yusuke Suzuki.
1731
1732         Test wasn't really skipped before moving the line with skip
1733         to the top.
1734
1735         * stress/regress-192717.js:
1736
1737 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1738
1739         Unreviewed, rolling out r239825.
1740         https://bugs.webkit.org/show_bug.cgi?id=193330
1741
1742         Broke tests on armv7/linux bots (Requested by guijemont on
1743         #webkit).
1744
1745         Reverted changeset:
1746
1747         "Enable DFG on ARM/Linux again"
1748         https://bugs.webkit.org/show_bug.cgi?id=192496
1749         https://trac.webkit.org/changeset/239825
1750
1751 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1752
1753         Enable DFG on ARM/Linux again
1754         https://bugs.webkit.org/show_bug.cgi?id=192496
1755
1756         Reviewed by Yusuke Suzuki.
1757
1758         Test wasn't really skipped before moving the line with skip
1759         to the top.
1760
1761         * stress/regress-192717.js:
1762
1763 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1764
1765         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1766         https://bugs.webkit.org/show_bug.cgi?id=193127
1767
1768         Reviewed by Saam Barati.
1769
1770         * stress/array-species-create-should-handle-masquerader.js: Added.
1771         (shouldThrow):
1772         * stress/is-undefined-or-null-builtin.js: Added.
1773         (shouldBe):
1774         (isUndefinedOrNull.vm.createBuiltin):
1775
1776 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1777
1778         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1779         https://bugs.webkit.org/show_bug.cgi?id=193221
1780
1781         Reviewed by Mark Lam.
1782
1783         * stress/put-by-id-flags.js: Added.
1784         (f):
1785         (g):
1786         (numberOfDFGCompiles):
1787
1788 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1789
1790         Baseline version of get_by_id may corrupt metadata
1791         https://bugs.webkit.org/show_bug.cgi?id=193085
1792         <rdar://problem/23453006>
1793
1794         Reviewed by Saam Barati.
1795
1796         * stress/get-by-id-change-mode.js: Added.
1797         (forEach):
1798
1799 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1800
1801         [JSC] Optimize Object.prototype.toString
1802         https://bugs.webkit.org/show_bug.cgi?id=193031
1803
1804         Reviewed by Saam Barati.
1805
1806         * stress/object-tostring-changed-proto.js: Added.
1807         (shouldBe):
1808         (test):
1809         * stress/object-tostring-changed.js: Added.
1810         (shouldBe):
1811         (test):
1812         * stress/object-tostring-misc.js: Added.
1813         (shouldBe):
1814         (test):
1815         (i.switch):
1816         * stress/object-tostring-other.js: Added.
1817         (shouldBe):
1818         (test):
1819         * stress/object-tostring-untyped.js: Added.
1820         (shouldBe):
1821         (test):
1822         (i.switch):
1823
1824 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1825
1826         test262-runner misbehaves when test file YAML has a trailing space
1827         https://bugs.webkit.org/show_bug.cgi?id=193053
1828
1829         Reviewed by Yusuke Suzuki.
1830
1831         * test262/expectations.yaml:
1832         Mark two dozen tests as passing (and correct the output of another).
1833
1834 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1835
1836         Unreviewed, JSTests gardening with memoryLimited
1837
1838         * stress/string-overflow-createError.js:
1839
1840 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1841
1842         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1843         https://bugs.webkit.org/show_bug.cgi?id=193050
1844
1845         Reviewed by Yusuke Suzuki.
1846
1847         * test262.yaml:
1848         * test262/expectations.yaml:
1849         Mark 16 tests as passing.
1850
1851 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1852
1853         [BigInt] Support BigInt in JSON.stringify
1854         https://bugs.webkit.org/show_bug.cgi?id=192624
1855
1856         Reviewed by Saam Barati.
1857
1858         * stress/big-int-json-stringify-to-json.js: Added.
1859         (shouldBe):
1860         (shouldThrow):
1861         (BigInt.prototype.toJSON):
1862         (shouldBe.JSON.stringify):
1863         * stress/big-int-json-stringify.js: Added.
1864         (shouldBe):
1865         (shouldThrow):
1866
1867 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1868
1869         [JSC] Implement "well-formed JSON.stringify" proposal
1870         https://bugs.webkit.org/show_bug.cgi?id=191677
1871
1872         Reviewed by Darin Adler.
1873
1874         * stress/json-surrogate-pair.js: Added.
1875         (shouldBe):
1876         * test262/expectations.yaml:
1877
1878 2018-12-20  Keith Miller  <keith_miller@apple.com>
1879
1880         Add support for globalThis
1881         https://bugs.webkit.org/show_bug.cgi?id=165171
1882
1883         Reviewed by Mark Lam.
1884
1885         * test262/config.yaml:
1886
1887 2018-12-19  Keith Miller  <keith_miller@apple.com>
1888
1889         Update test262 configuration to not run tests dependent on ICU version.
1890         https://bugs.webkit.org/show_bug.cgi?id=192920
1891
1892         Reviewed by Saam Barati.
1893
1894         * test262/expectations.yaml:
1895
1896 2018-12-20  Mark Lam  <mark.lam@apple.com>
1897
1898         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1899         https://bugs.webkit.org/show_bug.cgi?id=192939
1900         <rdar://problem/46869516>
1901
1902         Reviewed by Keith Miller.
1903
1904         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1905
1906 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1907
1908         WTF::String and StringImpl overflow MaxLength
1909         https://bugs.webkit.org/show_bug.cgi?id=192853
1910         <rdar://problem/45726906>
1911
1912         Reviewed by Mark Lam.
1913
1914         * stress/string-16bit-repeat-overflow.js: Added.
1915         (catch):
1916
1917 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1918
1919         Unreviewed follow-up to r192914.
1920
1921         * test262/expectations.yaml:
1922         Add the last 20 missing expectations.
1923
1924 2018-12-19  Keith Miller  <keith_miller@apple.com>
1925
1926         Fix test262 expectations
1927         https://bugs.webkit.org/show_bug.cgi?id=192914
1928
1929         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1930
1931         * test262/expectations.yaml:
1932
1933 2018-12-19  Keith Miller  <keith_miller@apple.com>
1934
1935         Update test262 tests.
1936         https://bugs.webkit.org/show_bug.cgi?id=192907
1937
1938         Rubber stamped by Mark Lam.
1939
1940         * test262/*: Omitted because prepare-changelog crashes.
1941
1942 2018-12-19  Mark Lam  <mark.lam@apple.com>
1943
1944         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1945         https://bugs.webkit.org/show_bug.cgi?id=192464
1946         <rdar://problem/46519455>
1947
1948         Reviewed by Saam Barati.
1949
1950         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1951         microbenchmark.
1952
1953         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1954         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1955
1956 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1957
1958         String overflow in JSC::createError results in ASSERT in WTF::makeString
1959         https://bugs.webkit.org/show_bug.cgi?id=192833
1960         <rdar://problem/45706868>
1961
1962         Reviewed by Mark Lam.
1963
1964         * stress/string-overflow-createError.js: Added.
1965
1966 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1967
1968         Error message for `-x ** y` contains a typo.
1969         https://bugs.webkit.org/show_bug.cgi?id=192832
1970
1971         Reviewed by Saam Barati.
1972
1973         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1974         (assert.assert.return.throws):
1975         * stress/pow-expects-update-expression-on-lhs.js:
1976         (throw.new.Error):
1977         Update test expectations which match against the exact error message.
1978
1979 2018-12-18  Mark Lam  <mark.lam@apple.com>
1980
1981         Gardening: test options fix.
1982         https://bugs.webkit.org/show_bug.cgi?id=192822
1983
1984         Unreviewed.
1985
1986         * stress/json-stringify-string-builder-overflow.js:
1987
1988 2018-12-18  Mark Lam  <mark.lam@apple.com>
1989
1990         JSON.stringify() should throw OOM on StringBuilder overflows.
1991         https://bugs.webkit.org/show_bug.cgi?id=192822
1992         <rdar://problem/46670577>
1993
1994         Reviewed by Saam Barati.
1995
1996         * stress/json-stringify-string-builder-overflow.js: Added.
1997
1998 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1999
2000         Redeclaration of var over let/const/class should be a syntax error.
2001         https://bugs.webkit.org/show_bug.cgi?id=192298
2002
2003         Reviewed by Keith Miller.
2004
2005         * test262.yaml:
2006         * test262/expectations.yaml:
2007         Mark 46 tests as passing.
2008
2009         * stress/block-scope-redeclarations.js:
2010         Add some new tests.
2011
2012         * stress/for-in-invalidate-context-weird-assignments.js:
2013         * stress/for-in-tests.js:
2014         Replace tests for outdated behavior with tests for SyntaxError.
2015
2016         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2017         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2018         Update expectations.
2019
2020 2018-12-18  Mark Lam  <mark.lam@apple.com>
2021
2022         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2023         https://bugs.webkit.org/show_bug.cgi?id=191374
2024         <rdar://problem/46525447>
2025
2026         Reviewed by Yusuke Suzuki.
2027
2028         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2029
2030         * stress/elidable-new-object-roflcopter-then-exit.js:
2031
2032 2018-12-17  Mark Lam  <mark.lam@apple.com>
2033
2034         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2035         https://bugs.webkit.org/show_bug.cgi?id=192019
2036         <rdar://problem/46525456>
2037
2038         Reviewed by Yusuke Suzuki.
2039
2040         The test runs too slow on 32-bit.
2041
2042         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2043
2044 2018-12-17  Mark Lam  <mark.lam@apple.com>
2045
2046         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2047         https://bugs.webkit.org/show_bug.cgi?id=191373
2048         <rdar://problem/46525458>
2049
2050         Reviewed by Yusuke Suzuki.
2051
2052         The test is already slow running with a JIT on 64-bit.  It will always timeout
2053         on 32-bit without a JIT.
2054
2055         * stress/materialize-regexp-cyclic-regexp.js:
2056
2057 2018-12-17  Mark Lam  <mark.lam@apple.com>
2058
2059         Array unshift/shift should not race against the AI in the compiler thread.
2060         https://bugs.webkit.org/show_bug.cgi?id=192795
2061         <rdar://problem/46724263>
2062
2063         Reviewed by Saam Barati.
2064
2065         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2066
2067 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2068
2069         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2070         https://bugs.webkit.org/show_bug.cgi?id=190047
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/object-keys-cached-zero.js: Added.
2075         (shouldBe):
2076         (test):
2077         * stress/object-keys-changed-attribute.js: Added.
2078         (shouldBe):
2079         (test):
2080         * stress/object-keys-changed-index.js: Added.
2081         (shouldBe):
2082         (test):
2083         * stress/object-keys-changed.js: Added.
2084         (shouldBe):
2085         (test):
2086         * stress/object-keys-indexed-non-cache.js: Added.
2087         (shouldBe):
2088         (test):
2089         * stress/object-keys-overrides-get-property-names.js: Added.
2090         (shouldBe):
2091         (test):
2092         (noInline):
2093
2094 2018-12-17  Mark Lam  <mark.lam@apple.com>
2095
2096         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2097         https://bugs.webkit.org/show_bug.cgi?id=192779
2098         <rdar://problem/46775869>
2099
2100         Reviewed by Saam Barati.
2101
2102         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2103
2104 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2105
2106         Unreviewed test gardening, address a syntax error in a new test.
2107
2108         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2109
2110 2018-12-17  Mark Lam  <mark.lam@apple.com>
2111
2112         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2113         https://bugs.webkit.org/show_bug.cgi?id=192776
2114         <rdar://problem/46772368>
2115
2116         Reviewed by Keith Miller.
2117
2118         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2119
2120 2018-12-17  Mark Lam  <mark.lam@apple.com>
2121
2122         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2123         https://bugs.webkit.org/show_bug.cgi?id=192770
2124         <rdar://problem/46449037>
2125
2126         Reviewed by Keith Miller.
2127
2128         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2129
2130 2018-12-14  Mark Lam  <mark.lam@apple.com>
2131
2132         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2133         https://bugs.webkit.org/show_bug.cgi?id=192717
2134         <rdar://problem/46660677>
2135
2136         Reviewed by Saam Barati.
2137
2138         * stress/regress-192717.js: Added.
2139
2140 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2141
2142         Unreviewed, rolling out r239153, r239154, and r239155.
2143         https://bugs.webkit.org/show_bug.cgi?id=192715
2144
2145         Caused flaky GC-related crashes seen with layout tests
2146         (Requested by ryanhaddad on #webkit).
2147
2148         Reverted changesets:
2149
2150         "[JSC] Optimize Object.keys by caching own keys results in
2151         StructureRareData"
2152         https://bugs.webkit.org/show_bug.cgi?id=190047
2153         https://trac.webkit.org/changeset/239153
2154
2155         "Unreviewed, build fix after r239153"
2156         https://bugs.webkit.org/show_bug.cgi?id=190047
2157         https://trac.webkit.org/changeset/239154
2158
2159         "Unreviewed, build fix after r239153, part 2"
2160         https://bugs.webkit.org/show_bug.cgi?id=190047
2161         https://trac.webkit.org/changeset/239155
2162
2163 2018-12-14  Keith Miller  <keith_miller@apple.com>
2164
2165         Callers of JSString::getIndex should check for OOM exceptions
2166         https://bugs.webkit.org/show_bug.cgi?id=192709
2167
2168         Reviewed by Mark Lam.
2169
2170         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2171
2172 2018-12-13  Mark Lam  <mark.lam@apple.com>
2173
2174         Add a missing exception check.
2175         https://bugs.webkit.org/show_bug.cgi?id=192626
2176         <rdar://problem/46662163>
2177
2178         Reviewed by Keith Miller.
2179
2180         * stress/regress-192626.js: Added.
2181
2182 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2183
2184         [BigInt] Add ValueDiv into DFG
2185         https://bugs.webkit.org/show_bug.cgi?id=186178
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         * stress/big-int-div-jit-osr.js: Added.
2190         * stress/big-int-div-jit-untyped.js: Added.
2191         * stress/value-div-fixup-int32-big-int.js: Added.
2192
2193 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2194
2195         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2196         https://bugs.webkit.org/show_bug.cgi?id=190047
2197
2198         Reviewed by Keith Miller.
2199
2200         * stress/object-keys-cached-zero.js: Added.
2201         (shouldBe):
2202         (test):
2203         * stress/object-keys-changed-attribute.js: Added.
2204         (shouldBe):
2205         (test):
2206         * stress/object-keys-changed-index.js: Added.
2207         (shouldBe):
2208         (test):
2209         * stress/object-keys-changed.js: Added.
2210         (shouldBe):
2211         (test):
2212         * stress/object-keys-indexed-non-cache.js: Added.
2213         (shouldBe):
2214         (test):
2215         * stress/object-keys-overrides-get-property-names.js: Added.
2216         (shouldBe):
2217         (test):
2218         (noInline):
2219
2220 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2221
2222         [DFG][FTL] Add NewSymbol
2223         https://bugs.webkit.org/show_bug.cgi?id=192620
2224
2225         Reviewed by Saam Barati.
2226
2227         * microbenchmarks/symbol-creation.js: Added.
2228         (test):
2229         * stress/symbol-description-identity.js: Added.
2230         (shouldBe):
2231         (test):
2232         * stress/symbol-identity.js: Added.
2233         (shouldBe):
2234         (test):
2235         * stress/symbol-with-description-throw-error.js: Added.
2236         (shouldBe):
2237         (shouldThrow):
2238         (test):
2239         (object.toString):
2240
2241 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2242
2243         [BigInt] Implement DFG/FTL typeof for BigInt
2244         https://bugs.webkit.org/show_bug.cgi?id=192619
2245
2246         Reviewed by Keith Miller.
2247
2248         * stress/big-int-boolean-proven-type.js: Added.
2249         (assert):
2250         (bool):
2251         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2252         (assert):
2253         (typeOf):
2254         (i.switch):
2255         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2256         (assert):
2257         (typeOf):
2258         * stress/big-int-type-of.js:
2259         (typeOf):
2260         (func):
2261
2262 2018-12-10  Mark Lam  <mark.lam@apple.com>
2263
2264         PropertyAttribute needs a CustomValue bit.
2265         https://bugs.webkit.org/show_bug.cgi?id=191993
2266         <rdar://problem/46264467>
2267
2268         Reviewed by Saam Barati.
2269
2270         * stress/regress-191993.js: Added.
2271
2272 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2273
2274         [BigInt] Add ValueMul into DFG
2275         https://bugs.webkit.org/show_bug.cgi?id=186175
2276
2277         Reviewed by Yusuke Suzuki.
2278
2279         * stress/big-int-mul-jit-osr.js: Added.
2280         * stress/big-int-mul-jit-untyped.js: Added.
2281         * stress/value-mul-fixup-int32-big-int.js: Added.
2282
2283 2018-12-06  Keith Miller  <keith_miller@apple.com>
2284
2285         stress/big-wasm-memory tests failing on 32-bit JSC bot
2286         https://bugs.webkit.org/show_bug.cgi?id=192020
2287
2288         Reviewed by Saam Barati.
2289
2290         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2291         the wasm stress tests if the WebAssembly object does not exist.
2292
2293         * stress/big-wasm-memory-grow-no-max.js:
2294         (test.foo):
2295         (test):
2296         (foo): Deleted.
2297         (catch): Deleted.
2298         * stress/big-wasm-memory-grow.js:
2299         (test.foo):
2300         (test):
2301         (foo): Deleted.
2302         (catch): Deleted.
2303         * stress/big-wasm-memory.js:
2304         (test.foo):
2305         (test):
2306         (foo): Deleted.
2307         (catch): Deleted.
2308
2309 2018-12-05  Mark Lam  <mark.lam@apple.com>
2310
2311         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2312         https://bugs.webkit.org/show_bug.cgi?id=192441
2313         <rdar://problem/46480355>
2314
2315         Reviewed by Saam Barati.
2316
2317         * stress/regress-192441.js: Added.
2318
2319 2018-12-04  Mark Lam  <mark.lam@apple.com>
2320
2321         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2322         https://bugs.webkit.org/show_bug.cgi?id=192386
2323         <rdar://problem/46445516>
2324
2325         Reviewed by Saam Barati.
2326
2327         * stress/regress-192386.js: Added.
2328
2329 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2330
2331         [ESNext][BigInt] Support logic operations
2332         https://bugs.webkit.org/show_bug.cgi?id=179903
2333
2334         Reviewed by Yusuke Suzuki.
2335
2336         * stress/big-int-branch-usage.js: Added.
2337         * stress/big-int-logical-and.js: Added.
2338         * stress/big-int-logical-not.js: Added.
2339         * stress/big-int-logical-or.js: Added.
2340
2341 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2342
2343         Unreviewed, rolling out r238833.
2344
2345         Breaks macOS and iOS debug builds.
2346
2347         Reverted changeset:
2348
2349         "[ESNext][BigInt] Support logic operations"
2350         https://bugs.webkit.org/show_bug.cgi?id=179903
2351         https://trac.webkit.org/changeset/238833
2352
2353 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2354
2355         [ESNext][BigInt] Support logic operations
2356         https://bugs.webkit.org/show_bug.cgi?id=179903
2357
2358         Reviewed by Yusuke Suzuki.
2359
2360         * stress/big-int-branch-usage.js: Added.
2361         * stress/big-int-logical-and.js: Added.
2362         * stress/big-int-logical-not.js: Added.
2363         * stress/big-int-logical-or.js: Added.
2364
2365 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2366
2367         [ESNext][BigInt] Implement support for "<<" and ">>"
2368         https://bugs.webkit.org/show_bug.cgi?id=186233
2369
2370         Reviewed by Yusuke Suzuki.
2371
2372         * stress/big-int-left-shift-general.js: Added.
2373         * stress/big-int-left-shift-range-error.js: Added.
2374         * stress/big-int-left-shift-type-error.js: Added.
2375         * stress/big-int-left-shift-wrapped-value.js: Added.
2376         * stress/big-int-right-shift-general.js: Added.
2377         * stress/big-int-right-shift-type-error.js: Added.
2378         * stress/big-int-right-shift-wrapped-value.js: Added.
2379         * stress/left-shift-to-primitive-precedence.js: Added.
2380         * stress/right-shift-to-primitive-precedence.js: Added.
2381
2382 2018-11-30  Dean Jackson  <dino@apple.com>
2383
2384         Add first-class support for .mjs files in jsc binary
2385         https://bugs.webkit.org/show_bug.cgi?id=192190
2386         <rdar://problem/46375715>
2387
2388         Reviewed by Keith Miller.
2389
2390         * stress/simple-module.mjs: Added.
2391         * stress/simple-script.js: Added.
2392
2393 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2394
2395         [BigInt] Implement ValueBitXor into DFG
2396         https://bugs.webkit.org/show_bug.cgi?id=190264
2397
2398         Reviewed by Yusuke Suzuki.
2399
2400         * stress/big-int-bitwise-xor-jit.js: Added.
2401         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2402         * stress/big-int-bitwise-xor-untyped.js: Added.
2403
2404 2018-11-27  Saam barati  <sbarati@apple.com>
2405
2406         r238510 broke scopes of size zero
2407         https://bugs.webkit.org/show_bug.cgi?id=192033
2408         <rdar://problem/46281734>
2409
2410         Reviewed by Keith Miller.
2411
2412         * stress/r238510-bad-loop.js: Added.
2413         (foo):
2414
2415 2018-11-27  Mark Lam  <mark.lam@apple.com>
2416
2417         [Re-landing] NaNs read from Wasm code needs to be be purified.
2418         https://bugs.webkit.org/show_bug.cgi?id=191056
2419         <rdar://problem/45660341>
2420
2421         Reviewed by Filip Pizlo.
2422
2423         * wasm/regress/regress-191056.js: Added.
2424
2425 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2426
2427         Unreviewed, rolling out r238509.
2428
2429         Causes JSC tests to fail on iOS.
2430
2431         Reverted changeset:
2432
2433         "NaNs read from Wasm code needs to be be purified."
2434         https://bugs.webkit.org/show_bug.cgi?id=191056
2435         https://trac.webkit.org/changeset/238509
2436
2437 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2438
2439         Re-introduce op_bitnot
2440         https://bugs.webkit.org/show_bug.cgi?id=190923
2441
2442         Reviewed by Yusuke Suzuki.
2443
2444         * stress/bit-not-must-generate.js: Added.
2445         * stress/bitwise-not-no-int32.js: Added.
2446
2447 2018-11-26  Saam barati  <sbarati@apple.com>
2448
2449         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2450         https://bugs.webkit.org/show_bug.cgi?id=191956
2451         <rdar://problem/45665806>
2452
2453         Reviewed by Yusuke Suzuki.
2454
2455         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2456         (bar):
2457         (foo):
2458
2459 2018-11-26  Saam barati  <sbarati@apple.com>
2460
2461         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2462         https://bugs.webkit.org/show_bug.cgi?id=191958
2463         <rdar://problem/46221877>
2464
2465         Reviewed by Yusuke Suzuki.
2466
2467         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2468         (x):
2469         (foo):
2470
2471 2018-11-26  Mark Lam  <mark.lam@apple.com>
2472
2473         NaNs read from Wasm code needs to be be purified.
2474         https://bugs.webkit.org/show_bug.cgi?id=191056
2475         <rdar://problem/45660341>
2476
2477         Reviewed by Filip Pizlo.
2478
2479         * wasm/regress/regress-191056.js: Added.
2480
2481 2018-11-26  Michael Saboff  <msaboff@apple.com>
2482
2483         32-bit JSC test failure: stress/regexp-compile-oom.js
2484         https://bugs.webkit.org/show_bug.cgi?id=191375
2485
2486         Reviewed by Mark Lam.
2487
2488         Disabled the test for 32 bit platforms.
2489
2490         * stress/regexp-compile-oom.js:
2491
2492 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2493
2494         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2495         https://bugs.webkit.org/show_bug.cgi?id=191716
2496         <rdar://problem/45723878>
2497
2498         Reviewed by Saam Barati.
2499
2500         * stress/regress-187373.js: Added.
2501         (async.fn):
2502
2503 2018-11-21  Saam barati  <sbarati@apple.com>
2504
2505         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2506         https://bugs.webkit.org/show_bug.cgi?id=191897
2507         <rdar://problem/45871998>
2508
2509         Reviewed by Mark Lam.
2510
2511         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2512         (bar):
2513         (foo):
2514
2515 2018-11-21  Saam barati  <sbarati@apple.com>
2516
2517         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2518         https://bugs.webkit.org/show_bug.cgi?id=191895
2519         <rdar://problem/46167406>
2520
2521         Reviewed by Mark Lam.
2522
2523         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2524         (foo):
2525         (bar):
2526
2527 2018-11-21  Mark Lam  <mark.lam@apple.com>
2528
2529         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2530         https://bugs.webkit.org/show_bug.cgi?id=191776
2531         <rdar://problem/46152851>
2532
2533         Reviewed by Saam Barati.
2534
2535         * stress/big-wasm-memory-grow-no-max.js:
2536         * stress/big-wasm-memory-grow.js:
2537         * stress/big-wasm-memory.js:
2538         - updated these to expect an OutOfMemoryError.
2539
2540         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2541         (Binary.prototype.emit_u8):
2542         (Binary.prototype.emit_u32v):
2543         (Binary.prototype.emit_header):
2544         (Binary.prototype.emit_section):
2545         (Binary):
2546         (WasmModuleBuilder):
2547         (WasmModuleBuilder.prototype.addMemory):
2548         (WasmModuleBuilder.prototype.toArray):
2549         (WasmModuleBuilder.prototype.toBuffer):
2550         (WasmModuleBuilder.prototype.instantiate):
2551         (catch):
2552         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2553         (catch):
2554
2555 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2556
2557         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2558         https://bugs.webkit.org/show_bug.cgi?id=190836
2559
2560         Reviewed by Saam Barati and Yusuke Suzuki.
2561
2562         * stress/big-int-out-of-memory-tests.js: Added.
2563
2564 2018-11-20  Mark Lam  <mark.lam@apple.com>
2565
2566         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2567         https://bugs.webkit.org/show_bug.cgi?id=191856
2568         <rdar://problem/46089992>
2569
2570         Reviewed by Yusuke Suzuki.
2571
2572         * stress/regress-191856.js: Added.
2573         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2574
2575 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2576
2577         Enable JIT on ARM/Linux
2578         https://bugs.webkit.org/show_bug.cgi?id=191548
2579
2580         Reviewed by Yusuke Suzuki.
2581
2582         Disable test on system with limited memory. Program was killed by
2583         the OS before the exception was thrown.
2584
2585         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2586
2587 2018-11-20  Saam barati  <sbarati@apple.com>
2588
2589         Merging an IC variant may lead to the IC status containing overlapping structure sets
2590         https://bugs.webkit.org/show_bug.cgi?id=191869
2591         <rdar://problem/45403453>
2592
2593         Reviewed by Mark Lam.
2594
2595         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2596
2597 2018-11-19  Mark Lam  <mark.lam@apple.com>
2598
2599         globalFuncImportModule() should return a promise when it clears exceptions.
2600         https://bugs.webkit.org/show_bug.cgi?id=191792
2601         <rdar://problem/46090763>
2602
2603         Reviewed by Michael Saboff.
2604
2605         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2606
2607 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2608
2609         Skip new memory-hungry tests on memory limited devices
2610
2611         Unreviewed gardening.
2612
2613         * stress/big-wasm-memory-grow-no-max.js:
2614         * stress/big-wasm-memory-grow.js:
2615         * stress/big-wasm-memory.js:
2616
2617 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2618
2619         Unreviewed, rolling in the rest of r237254
2620         https://bugs.webkit.org/show_bug.cgi?id=190340
2621
2622         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2623         * stress/function-cache-with-parameters-end-position.js: Added.
2624         (shouldBe):
2625         (shouldThrow):
2626         (i.anonymous):
2627         * stress/function-constructor-name.js: Added.
2628         (shouldBe):
2629         (GeneratorFunction):
2630         (AsyncFunction.async):
2631         (AsyncGeneratorFunction.async):
2632         (anonymous):
2633         (async.anonymous):
2634         * test262/expectations.yaml:
2635
2636 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2637
2638         All users of ArrayBuffer should agree on the same max size
2639         https://bugs.webkit.org/show_bug.cgi?id=191771
2640
2641         Reviewed by Mark Lam.
2642
2643         * stress/big-wasm-memory-grow-no-max.js: Added.
2644         (foo):
2645         (catch):
2646         * stress/big-wasm-memory-grow.js: Added.
2647         (foo):
2648         (catch):
2649         * stress/big-wasm-memory.js: Added.
2650         (foo):
2651         (catch):
2652
2653 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2654
2655         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2656         run for each JSC config since they're regression tests for runtime bugs.
2657
2658         * stress/json-stringified-overflow-2.js:
2659         * stress/json-stringified-overflow.js:
2660
2661 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2662
2663         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2664         config since they're regression tests for runtime bugs.
2665
2666         * stress/large-unshift-splice.js:
2667         * stress/regress-185888.js:
2668
2669 2018-11-16  Saam Barati  <sbarati@apple.com>
2670
2671         KnownCellUse should also have SpecCellCheck as its type filter
2672         https://bugs.webkit.org/show_bug.cgi?id=191729
2673         <rdar://problem/45872852>
2674
2675         Reviewed by Filip Pizlo.
2676
2677         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2678         (C):
2679
2680 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2681
2682         Fix assertion failure on BytecodeGenerator::recordOpcode
2683         https://bugs.webkit.org/show_bug.cgi?id=191724
2684         <rdar://problem/45724395>
2685
2686         Reviewed by Saam Barati.
2687
2688         * stress/regress-187373-2.js: Added.
2689         (foo):
2690
2691 2018-11-15  Mark Lam  <mark.lam@apple.com>
2692
2693         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2694         https://bugs.webkit.org/show_bug.cgi?id=191730
2695         <rdar://problem/46048517>
2696
2697         Reviewed by Saam Barati.
2698
2699         * stress/regress-187006.js: Removed.
2700           - this test is invalid because its sole purpose is to test for the non-spec
2701             compliant behavior that we just fixed.
2702
2703         * stress/regress-191730.js: Added.
2704
2705 2018-11-15  Mark Lam  <mark.lam@apple.com>
2706
2707         RegExp operations should not take fast patch if lastIndex is not numeric.
2708         https://bugs.webkit.org/show_bug.cgi?id=191731
2709         <rdar://problem/46017305>
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/regress-191731.js: Added.
2714
2715 2018-11-13  Saam Barati  <sbarati@apple.com>
2716
2717         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2718         https://bugs.webkit.org/show_bug.cgi?id=191600
2719
2720         Reviewed by Mark Lam.
2721
2722         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2723         (foo):
2724         (test):
2725         (bar):
2726
2727 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2728
2729         Unreviewed, rolling out r238132.
2730
2731         The test added with this change is timing out on Debug JSC
2732         bots.
2733
2734         Reverted changeset:
2735
2736         "[BigInt] JSBigInt::createWithLength should throw when length
2737         is greater than JSBigInt::maxLength"
2738         https://bugs.webkit.org/show_bug.cgi?id=190836
2739         https://trac.webkit.org/changeset/238132
2740
2741 2018-11-13  Mark Lam  <mark.lam@apple.com>
2742
2743         Add OOM detection to StringPrototype's substituteBackreferences().
2744         https://bugs.webkit.org/show_bug.cgi?id=191563
2745         <rdar://problem/45720428>
2746
2747         Reviewed by Saam Barati.
2748
2749         * stress/regress-191563.js: Added.
2750
2751 2018-11-13  Mark Lam  <mark.lam@apple.com>
2752
2753         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2754         https://bugs.webkit.org/show_bug.cgi?id=191579
2755         <rdar://problem/45942472>
2756
2757         Reviewed by Saam Barati.
2758
2759         * stress/regress-191579.js: Added.
2760
2761 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2762
2763         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2764         https://bugs.webkit.org/show_bug.cgi?id=190836
2765
2766         Reviewed by Saam Barati.
2767
2768         * stress/big-int-out-of-memory-tests.js: Added.
2769
2770 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2771
2772         U+180E is no longer a whitespace character
2773         https://bugs.webkit.org/show_bug.cgi?id=191415
2774
2775         Reviewed by Saam Barati.
2776
2777         * ChakraCore/test/es5/regexSpace.baseline:
2778         * ChakraCore/test/es6/unicode_whitespace.js:
2779         Update tests to latest version.
2780         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2781
2782         * test262.yaml:
2783         * test262/config.yaml:
2784         * test262/expectations.yaml:
2785         Update expectations.
2786
2787 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2788
2789         [BigInt] Add support to BigInt into ValueAdd
2790         https://bugs.webkit.org/show_bug.cgi?id=186177
2791
2792         Reviewed by Keith Miller.
2793
2794         * stress/big-int-negate-jit.js:
2795         * stress/value-add-big-int-and-string.js: Added.
2796         * stress/value-add-big-int-prediction-propagation.js: Added.
2797         * stress/value-add-big-int-untyped.js: Added.
2798
2799 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2800
2801         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2802         https://bugs.webkit.org/show_bug.cgi?id=191184
2803
2804         Reviewed by Saam Barati.
2805
2806         Most tests were failing due to timeouts, since they are too slow to
2807         run on CLoop. The exceptions are:
2808
2809         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2810         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2811         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2812         to change the stack size since CLoop requires it to be page aligned.
2813
2814         * microbenchmarks/array-push-1.js:
2815         * microbenchmarks/array-push-2.js:
2816         * microbenchmarks/elidable-new-object-dag.js:
2817         * microbenchmarks/elidable-new-object-roflcopter.js:
2818         * microbenchmarks/elidable-new-object-tree.js:
2819         * microbenchmarks/getter-richards.js:
2820         * microbenchmarks/sinkable-new-object-dag.js:
2821         * microbenchmarks/string-concat-long-convert.js:
2822         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2823         * slowMicrobenchmarks/array-push-3.js:
2824         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2825         * slowMicrobenchmarks/spread-small-array.js:
2826         * slowMicrobenchmarks/undefined-property-access.js:
2827         * stress/activation-sink-default-value-tdz-error.js:
2828         * stress/activation-sink-default-value.js:
2829         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2830         * stress/activation-sink-osrexit-default-value.js:
2831         * stress/activation-sink-osrexit.js:
2832         * stress/activation-sink.js:
2833         * stress/allow-math-ic-b3-code-duplication.js:
2834         * stress/array-push-multiple-int32.js:
2835         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2836         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2837         * stress/arrowfunction-lexical-this-activation-sink.js:
2838         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2839         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2840         * stress/elide-new-object-dag-then-exit.js:
2841         * stress/materialize-regexp-cyclic.js:
2842         * stress/new-regex-inline.js:
2843         * stress/op_add.js:
2844         * stress/op_bitand.js:
2845         * stress/op_bitor.js:
2846         * stress/op_bitxor.js:
2847         * stress/op_div-ConstVar.js:
2848         * stress/op_div-VarConst.js:
2849         * stress/op_div-VarVar.js:
2850         * stress/op_lshift-ConstVar.js:
2851         * stress/op_lshift-VarConst.js:
2852         * stress/op_lshift-VarVar.js:
2853         * stress/op_mod-ConstVar.js:
2854         * stress/op_mod-VarConst.js:
2855         * stress/op_mod-VarVar.js:
2856         * stress/op_mul-ConstVar.js:
2857         * stress/op_mul-VarConst.js:
2858         * stress/op_mul-VarVar.js:
2859         * stress/op_rshift-ConstVar.js:
2860         * stress/op_rshift-VarConst.js:
2861         * stress/op_rshift-VarVar.js:
2862         * stress/op_sub-ConstVar.js:
2863         * stress/op_sub-VarConst.js:
2864         * stress/op_sub-VarVar.js:
2865         * stress/op_urshift-ConstVar.js:
2866         * stress/op_urshift-VarConst.js:
2867         * stress/op_urshift-VarVar.js:
2868         * stress/proxy-get-set-correct-receiver.js:
2869         * stress/regress-179562.js:
2870         * stress/rest-parameter-many-arguments.js:
2871         * stress/sampling-profiler-richards.js:
2872         * stress/splay-flash-access-1ms.js:
2873         * stress/tailCallForwardArguments.js:
2874         * stress/typed-array-get-by-val-profiling.js:
2875         * typeProfiler/getter-richards.js:
2876
2877 2018-11-06  Michael Saboff  <msaboff@apple.com>
2878
2879         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2880         https://bugs.webkit.org/show_bug.cgi?id=191271
2881
2882         Reviewed by Saam Barati.
2883
2884         Added more test cases and made all test cases run with the same deeply recursive stack
2885         instead of finding that same point for each test case.
2886
2887         * stress/regexp-compile-oom.js:
2888         (prototype.runTest):
2889         (recurseAndTest):
2890         (testList.push.new.TestAndExpectedException):
2891
2892 2018-11-05  Michael Saboff  <msaboff@apple.com>
2893
2894         Unreviewed build fix for linux.
2895
2896         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2897
2898 2018-11-02  Michael Saboff  <msaboff@apple.com>
2899
2900         Rolling in r237753 with unreviewed build fix.
2901
2902         Fixed issues with DECLARE_THROW_SCOPE placement.
2903
2904 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2905
2906         Unreviewed, rolling out r237753.
2907
2908         Introduced JSC test failures
2909
2910         Reverted changeset:
2911
2912         "Running out of stack space not properly handled in
2913         RegExp::compile() and its callers"
2914         https://bugs.webkit.org/show_bug.cgi?id=191206
2915         https://trac.webkit.org/changeset/237753
2916
2917 2018-11-02  Michael Saboff  <msaboff@apple.com>
2918
2919         Running out of stack space not properly handled in RegExp::compile() and its callers
2920         https://bugs.webkit.org/show_bug.cgi?id=191206
2921
2922         Reviewed by Filip Pizlo.
2923
2924         New regression test.
2925
2926         * stress/regexp-compile-oom.js: Added.
2927         (recurseAndTest):
2928
2929 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2930
2931         Skip tests on arm/mips that time out now we're running on CLoop
2932
2933         Unreviewed gardening.
2934
2935         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2936         time out on the bots and need to be disabled. There's more tests
2937         disabled on arm because the timeout is longer on the mips bot (as the
2938         device is slower to start with), so many of the tests don't time out
2939         there.
2940
2941         * microbenchmarks/getter-richards.js: disable on arm and mips.
2942         * stress/op_add.js: disable on arm.
2943         * stress/op_bitand.js: disable on arm.
2944         * stress/op_bitor.js: disable on arm.
2945         * stress/op_bitxor.js: disable on arm.
2946         * stress/op_lshift-ConstVar.js: disable on arm.
2947         * stress/op_lshift-VarConst.js: disable on arm.
2948         * stress/op_lshift-VarVar.js: disable on arm.
2949         * stress/op_mod-ConstVar.js: disable on arm.
2950         * stress/op_mod-VarConst.js: disable on arm.
2951         * stress/op_mod-VarVar.js: disable on arm.
2952         * stress/op_mul-ConstVar.js: disable on arm.
2953         * stress/op_mul-VarConst.js: disable on arm.
2954         * stress/op_mul-VarVar.js: disable on arm.
2955         * stress/op_rshift-ConstVar.js: disable on arm.
2956         * stress/op_rshift-VarConst.js: disable on arm.
2957         * stress/op_rshift-VarVar.js: disable on arm.
2958         * stress/op_sub-ConstVar.js: disable on arm.
2959         * stress/op_sub-VarConst.js: disable on arm.
2960         * stress/op_sub-VarVar.js: disable on arm.
2961         * stress/op_urshift-ConstVar.js: disable on arm.
2962         * stress/op_urshift-VarConst.js: disable on arm.
2963         * stress/op_urshift-VarVar.js: disable on arm.
2964         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2965         * stress/value-to-boolean.js: disable on arm and mips.
2966
2967 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2968
2969         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2970         https://bugs.webkit.org/show_bug.cgi?id=191108
2971         <rdar://problem/45690700>
2972
2973         Reviewed by Saam Barati.
2974
2975         * stress/wide-op_catch.js: Added.
2976         (catch):
2977
2978 2018-10-29  Mark Lam  <mark.lam@apple.com>
2979
2980         Correctly detect string overflow when using the 'Function' constructor.
2981         https://bugs.webkit.org/show_bug.cgi?id=184883
2982         <rdar://problem/36320331>
2983
2984         Reviewed by Saam Barati.
2985
2986         I've verified that this passes on 32-bit as well.
2987
2988         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2989
2990 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2991
2992         Add support for GetStack FlushedDouble
2993         https://bugs.webkit.org/show_bug.cgi?id=191012
2994         <rdar://problem/45265141>
2995
2996         Reviewed by Saam Barati.
2997
2998         * stress/get-stack-double.js: Added.
2999         (bar):
3000         (noInline):
3001
3002 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3003
3004         New bytecode format for JSC
3005         https://bugs.webkit.org/show_bug.cgi?id=187373
3006         <rdar://problem/44186758>
3007
3008         Reviewed by Filip Pizlo.
3009
3010         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3011
3012         * stress/maximum-inline-capacity.js: Added.
3013         (test1):
3014         (test3.Foo):
3015         (test3):
3016
3017 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3018
3019         Unreviewed, rolling out r237479 and r237484.
3020         https://bugs.webkit.org/show_bug.cgi?id=190978
3021
3022         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3023
3024         Reverted changesets:
3025
3026         "New bytecode format for JSC"
3027         https://bugs.webkit.org/show_bug.cgi?id=187373
3028         https://trac.webkit.org/changeset/237479
3029
3030         "Gardening: Build fix after r237479."
3031         https://bugs.webkit.org/show_bug.cgi?id=187373
3032         https://trac.webkit.org/changeset/237484
3033
3034 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3035
3036         New bytecode format for JSC
3037         https://bugs.webkit.org/show_bug.cgi?id=187373
3038         <rdar://problem/44186758>
3039
3040         Reviewed by Filip Pizlo.
3041
3042         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3043
3044         * stress/maximum-inline-capacity.js: Added.
3045         (test1):
3046         (test3.Foo):
3047         (test3):
3048
3049 2018-10-26  Mark Lam  <mark.lam@apple.com>
3050
3051         Fix missing edge cases with JSGlobalObjects having a bad time.
3052         https://bugs.webkit.org/show_bug.cgi?id=189028
3053         <rdar://problem/45204939>
3054
3055         Reviewed by Saam Barati.
3056
3057         * stress/regress-189028.js: Added.
3058
3059 2018-10-22  Mark Lam  <mark.lam@apple.com>
3060
3061         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3062         https://bugs.webkit.org/show_bug.cgi?id=190515
3063         <rdar://problem/45222379>
3064
3065         Rubber-stamped by Saam Barati.
3066
3067         Adding another test.
3068
3069         * stress/regress-190515-2.js: Added.
3070
3071 2018-10-22  Mark Lam  <mark.lam@apple.com>
3072
3073         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3074         https://bugs.webkit.org/show_bug.cgi?id=190515
3075         <rdar://problem/45222379>
3076
3077         Reviewed by Saam Barati.
3078
3079         * stress/regress-190515.js: Added.
3080
3081 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3082
3083         Unreviewed, rolling out r237254.
3084         https://bugs.webkit.org/show_bug.cgi?id=190760
3085
3086         "It regresses JetStream 2 by 5% on some iOS devices"
3087         (Requested by saamyjoon on #webkit).
3088
3089         Reverted changeset:
3090
3091         "[JSC] JSC should have "parseFunction" to optimize Function
3092         constructor"
3093         https://bugs.webkit.org/show_bug.cgi?id=190340
3094         https://trac.webkit.org/changeset/237254
3095
3096 2018-10-19  Saam Barati  <sbarati@apple.com>
3097
3098         vmCall should check if we exit before emitting an OSR exit due to exceptions
3099         https://bugs.webkit.org/show_bug.cgi?id=190740
3100         <rdar://problem/45220139>
3101
3102         Reviewed by Mark Lam.
3103
3104         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3105         (foo):
3106
3107 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3108
3109         [ESNext][BigInt] Implement support for "^"
3110         https://bugs.webkit.org/show_bug.cgi?id=186235
3111
3112         Reviewed by Yusuke Suzuki.
3113
3114         * stress/big-int-bitwise-xor-general.js: Added.
3115         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3116         * stress/big-int-bitwise-xor-type-error.js: Added.
3117         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3118
3119 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3120
3121         [BigInt] Add ValueSub into DFG
3122         https://bugs.webkit.org/show_bug.cgi?id=186176
3123
3124         Reviewed by Yusuke Suzuki.
3125
3126         * stress/big-int-subtraction-jit.js:
3127         * stress/value-sub-big-int-prediction-propagation.js: Added.
3128         * stress/value-sub-big-int-untyped.js: Added.
3129         * stress/value-sub-spec-none-case.js: Added.
3130
3131 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3132
3133         [JSC] JSC should have "parseFunction" to optimize Function constructor
3134         https://bugs.webkit.org/show_bug.cgi?id=190340
3135
3136         Reviewed by Mark Lam.
3137
3138         This patch fixes the line number of syntax errors raised by the Function constructor,
3139         since we now parse the final code only once. And we no longer use block statement
3140         for Function constructor's parsing.
3141
3142         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3143         * stress/function-cache-with-parameters-end-position.js: Added.
3144         (shouldBe):
3145         (shouldThrow):
3146         (i.anonymous):
3147         * stress/function-constructor-name.js: Added.
3148         (shouldBe):
3149         (GeneratorFunction):
3150         (AsyncFunction.async):
3151         (AsyncGeneratorFunction.async):
3152         (anonymous):
3153         (async.anonymous):
3154         * test262/expectations.yaml:
3155
3156 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3157
3158         Unreviewed, rolling out r237242.
3159         https://bugs.webkit.org/show_bug.cgi?id=190701
3160
3161         it breaks "stress/sampling-profiler-basic.js" (Requested by
3162         caiolima on #webkit).
3163
3164         Reverted changeset:
3165
3166         "[BigInt] Add ValueSub into DFG"
3167         https://bugs.webkit.org/show_bug.cgi?id=186176
3168         https://trac.webkit.org/changeset/237242
3169
3170 2018-10-17  Keith Miller  <keith_miller@apple.com>
3171
3172         AI does not clear Phantom allocation nodes.
3173         https://bugs.webkit.org/show_bug.cgi?id=190694
3174
3175         Reviewed by Saam Barati.
3176
3177         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3178         (Day):
3179         (DaysInYear):
3180         (TimeInYear):
3181         (TimeFromYear):
3182         (DayFromYear):
3183         (InLeapYear):
3184         (YearFromTime):
3185         (WeekDay):
3186         (DaylightSavingTA):
3187         (GetSecondSundayInMarch):
3188         (TimeInMonth):
3189
3190 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3191
3192         [BigInt] Add ValueSub into DFG
3193         https://bugs.webkit.org/show_bug.cgi?id=186176
3194
3195         Reviewed by Yusuke Suzuki.
3196
3197         * stress/big-int-subtraction-jit.js:
3198         * stress/value-sub-big-int-prediction-propagation.js: Added.
3199         * stress/value-sub-big-int-untyped.js: Added.
3200
3201 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3202
3203         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3204         https://bugs.webkit.org/show_bug.cgi?id=190611
3205
3206         Reviewed by Saam Barati.
3207
3208         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3209         to improve test runtime. On ARM/MIPS this test even timed out when running all
3210         tests.
3211
3212         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3213         (test):
3214
3215 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3216
3217         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3218
3219         Unreviewed gardening.
3220
3221         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3222
3223 2018-10-15  Saam barati  <sbarati@apple.com>
3224
3225         Emit fjcvtzs on ARM64E on Darwin
3226         https://bugs.webkit.org/show_bug.cgi?id=184023
3227
3228         Reviewed by Yusuke Suzuki and Filip Pizlo.
3229
3230         * stress/double-to-int32-NaN.js: Added.
3231         (assert):
3232         (foo):
3233
3234 2018-10-15  Saam Barati  <sbarati@apple.com>
3235
3236         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3237         https://bugs.webkit.org/show_bug.cgi?id=190262
3238         <rdar://problem/44986241>
3239
3240         Reviewed by Mark Lam.
3241
3242         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3243         (test):
3244         * stress/slice-array-storage-with-holes.js: Added.
3245         (main):
3246
3247 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3248
3249         Unreviewed, rolling out r237054.
3250         https://bugs.webkit.org/show_bug.cgi?id=190593
3251
3252         "this regressed JetStream 2 by 6% on iOS" (Requested by
3253         saamyjoon on #webkit).
3254
3255         Reverted changeset:
3256
3257         "[JSC] JSC should have "parseFunction" to optimize Function
3258         constructor"
3259         https://bugs.webkit.org/show_bug.cgi?id=190340
3260         https://trac.webkit.org/changeset/237054
3261
3262 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3263
3264         [JSC] JSON.stringify can accept call-with-no-arguments
3265         https://bugs.webkit.org/show_bug.cgi?id=190343
3266
3267         Reviewed by Mark Lam.
3268
3269         * stress/json-stringify-no-arguments.js: Added.
3270         (shouldBe):
3271
3272 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3273
3274         [JSC] JSC should have "parseFunction" to optimize Function constructor
3275         https://bugs.webkit.org/show_bug.cgi?id=190340
3276
3277         Reviewed by Mark Lam.
3278
3279         This patch fixes the line number of syntax errors raised by the Function constructor,
3280         since we now parse the final code only once. And we no longer use block statement
3281         for Function constructor's parsing.
3282
3283         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3284         * stress/function-cache-with-parameters-end-position.js: Added.
3285         (shouldBe):
3286         (shouldThrow):
3287         (i.anonymous):
3288         * stress/function-constructor-name.js: Added.
3289         (shouldBe):
3290         (GeneratorFunction):
3291         (AsyncFunction.async):
3292         (AsyncGeneratorFunction.async):
3293         (anonymous):
3294         (async.anonymous):
3295         * test262/expectations.yaml:
3296
3297 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3298
3299         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3300         https://bugs.webkit.org/show_bug.cgi?id=190426
3301
3302         Unreviewed gardening.
3303
3304         * stress/sampling-profiler-richards.js:
3305
3306 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3307
3308         [ESNext][BigInt] Implement support for "|"
3309         https://bugs.webkit.org/show_bug.cgi?id=186229
3310
3311         Reviewed by Yusuke Suzuki.
3312
3313         * stress/big-int-bitwise-and-jit.js:
3314         * stress/big-int-bitwise-or-general.js: Added.
3315         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3316         * stress/big-int-bitwise-or-jit.js: Added.
3317         * stress/big-int-bitwise-or-memory-stress.js: Added.
3318         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3319         * stress/big-int-bitwise-or-type-error.js: Added.
3320         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3321
3322 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3323
3324         Skip test on systems with limited memory
3325         https://bugs.webkit.org/show_bug.cgi?id=190310
3326
3327         Invoking runDefault adds test to runlist, skipping the test in the next
3328         line does not prevent the test from executing. Change order of lines such
3329         that runDefault is only executed if test is not executed.
3330
3331         Reviewed by Mark Lam.
3332
3333         * stress/regress-190187.js:
3334
3335 2018-10-03  Saam barati  <sbarati@apple.com>
3336
3337         lowXYZ in FTLLower should always filter the type of the incoming edge
3338         https://bugs.webkit.org/show_bug.cgi?id=189939
3339         <rdar://problem/44407030>
3340
3341         Reviewed by Michael Saboff.
3342
3343         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3344         (foo):
3345         (test):
3346
3347 2018-10-03  Mark Lam  <mark.lam@apple.com>
3348
3349         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3350         https://bugs.webkit.org/show_bug.cgi?id=190187
3351         <rdar://problem/42512909>
3352
3353         Reviewed by Michael Saboff.
3354
3355         * stress/regress-190187.js: Added.
3356
3357 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3358
3359         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3360         https://bugs.webkit.org/show_bug.cgi?id=190033
3361
3362         Reviewed by Yusuke Suzuki.
3363
3364         * stress/big-int-to-string.js:
3365
3366 2018-10-01  Mark Lam  <mark.lam@apple.com>
3367
3368         Function.toString() should also copy the source code Functions that are class definitions.
3369         https://bugs.webkit.org/show_bug.cgi?id=190186
3370         <rdar://problem/44733360>
3371
3372         Reviewed by Saam Barati.
3373
3374         * stress/regress-190186.js: Added.
3375
3376 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3377
3378         Split NaN-check into separate test
3379         https://bugs.webkit.org/show_bug.cgi?id=190010
3380
3381         Reviewed by Saam Barati.
3382
3383         DataView exposes NaN-representation, which is not necessarily the same on each
3384         architecture. Therefore move the check of the NaN-representation into its own
3385         file such that we can disable this test on MIPS where NaN-representation can be
3386         different on older CPUs.
3387
3388         * stress/dataview-jit-set-nan.js: Added.
3389         (assert):
3390         (test.storeLittleEndian):
3391         (test.storeBigEndian):
3392         (test.store):
3393         (test):
3394         * stress/dataview-jit-set.js:
3395         (test5):
3396
3397 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3398
3399         Unreviewed, rolling out r236647.
3400         https://bugs.webkit.org/show_bug.cgi?id=190124
3401
3402         Breaking test stress/big-int-to-string.js (Requested by
3403         caiolima_ on #webkit).
3404
3405         Reverted changeset:
3406
3407         "[BigInt] BigInt.proptotype.toString is broken when radix is
3408         power of 2"
3409         https://bugs.webkit.org/show_bug.cgi?id=190033
3410         https://trac.webkit.org/changeset/236647
3411
3412 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3413
3414         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3415         https://bugs.webkit.org/show_bug.cgi?id=190033
3416
3417         Reviewed by Yusuke Suzuki.
3418
3419         * stress/big-int-to-string.js:
3420
3421 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3422
3423         [ESNext][BigInt] Implement support for "&"
3424         https://bugs.webkit.org/show_bug.cgi?id=186228
3425
3426         Reviewed by Yusuke Suzuki.
3427
3428         * stress/big-int-bitwise-and-general.js: Added.
3429         (assert):
3430         (assert.sameValue):
3431         * stress/big-int-bitwise-and-jit.js: Added.
3432         (let.assert.sameValue):
3433         (bigIntBitAnd):
3434         * stress/big-int-bitwise-and-memory-stress.js: Added.
3435         (assert):
3436         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3437         (assert.sameValue):
3438         (let.o.Symbol.toPrimitive):
3439         (catch):
3440         * stress/big-int-bitwise-and-type-error.js: Added.
3441         (assert):
3442         (assertThrowTypeError):
3443         (let.o.valueOf):
3444         (o.valueOf):
3445         (o.toString):
3446         (o.Symbol.toPrimitive):
3447         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3448         (assert.sameValue):
3449         (testBitAnd):
3450         (let.o.Symbol.toPrimitive):
3451         (o.valueOf):
3452         (o.toString):
3453
3454 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3455
3456         JSC test stress/jsc-read.js doesn't support CRLF
3457         https://bugs.webkit.org/show_bug.cgi?id=190063
3458
3459         Reviewed by Yusuke Suzuki.
3460
3461         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3462
3463         * stress/jsc-read.js:
3464         (test):
3465
3466 2018-09-27  Saam barati  <sbarati@apple.com>
3467
3468         Verify the contents of AssemblerBuffer on arm64e
3469         https://bugs.webkit.org/show_bug.cgi?id=190057
3470         <rdar://problem/38916630>
3471
3472         Reviewed by Mark Lam.
3473
3474         * stress/regress-189132.js:
3475
3476 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3477
3478         Disable test without LLInt on ARMv7
3479         https://bugs.webkit.org/show_bug.cgi?id=190037
3480
3481         Reviewed by Mark Lam.
3482
3483         Test runs out of executable memory on ARMv7, do not run
3484         this test without LLInt enabled.
3485
3486         * stress/regress-169445.js:
3487
3488 2018-09-26  Keith Miller  <keith_miller@apple.com>
3489
3490         We should zero unused property storage when rebalancing array storage.
3491         https://bugs.webkit.org/show_bug.cgi?id=188151
3492
3493         Reviewed by Michael Saboff.
3494
3495         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3496
3497 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3498
3499         [JSC] Optimize Array#lastIndexOf
3500         https://bugs.webkit.org/show_bug.cgi?id=189780
3501
3502         Reviewed by Saam Barati.
3503
3504         * stress/array-lastindexof-array-prototype-trap.js: Added.
3505         (shouldBe):
3506         (AncestorArray.prototype.get 2):
3507         (AncestorArray):
3508         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3509         (shouldBe):
3510         * stress/array-lastindexof-hole-nan.js: Added.
3511         (shouldBe):
3512         (throw.new.Error):
3513         * stress/array-lastindexof-infinity.js: Added.
3514         (shouldBe):
3515         (throw.new.Error):
3516         * stress/array-lastindexof-negative-zero.js: Added.
3517         (shouldBe):
3518         (throw.new.Error):
3519         * stress/array-lastindexof-own-getter.js: Added.
3520         (shouldBe):
3521         (throw.new.Error.get array):
3522         (get array):
3523         * stress/array-lastindexof-prototype-trap.js: Added.
3524         (shouldBe):
3525         (DerivedArray.prototype.get 2):
3526         (DerivedArray):
3527
3528 2018-09-25  Saam Barati  <sbarati@apple.com>
3529
3530         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3531         https://bugs.webkit.org/show_bug.cgi?id=189940
3532         <rdar://problem/43640987>
3533
3534         Reviewed by Mark Lam.
3535
3536         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3537
3538 2018-09-24  Saam Barati  <sbarati@apple.com>
3539
3540         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3541         https://bugs.webkit.org/show_bug.cgi?id=189922
3542         <rdar://problem/44651275>
3543
3544         Reviewed by Mark Lam.
3545
3546         * stress/array-indexof-fast-path-effects.js: Added.
3547         * stress/array-indexof-cached-length.js: Added.
3548
3549 2018-09-24  Saam barati  <sbarati@apple.com>
3550
3551         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3552         https://bugs.webkit.org/show_bug.cgi?id=189682
3553         <rdar://problem/43557315>
3554
3555         Reviewed by Mark Lam.
3556
3557         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3558         (foo):
3559
3560 2018-09-22  Saam barati  <sbarati@apple.com>
3561
3562         The sampling should not use Strong<CodeBlock> in its machineLocation field
3563         https://bugs.webkit.org/show_bug.cgi?id=189319
3564
3565         Reviewed by Filip Pizlo.
3566
3567         * stress/sampling-profiler-richards.js: Added.
3568
3569 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3570
3571         [JSC] Optimize Array#indexOf in C++ runtime
3572         https://bugs.webkit.org/show_bug.cgi?id=189507
3573
3574         Reviewed by Saam Barati.
3575
3576         * stress/array-indexof-array-prototype-trap.js: Added.
3577         (shouldBe):
3578         (AncestorArray.prototype.get 2):
3579         (AncestorArray):
3580         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3581         (shouldBe):
3582         * stress/array-indexof-hole-nan.js: Added.
3583         (shouldBe):
3584         (throw.new.Error):
3585         * stress/array-indexof-infinity.js: Added.
3586         (shouldBe):
3587         (throw.new.Error):
3588         * stress/array-indexof-negative-zero.js: Added.
3589         (shouldBe):
3590         (throw.new.Error):
3591         * stress/array-indexof-own-getter.js: Added.
3592         (shouldBe):
3593         (throw.new.Error.get array):
3594         (get array):
3595         * stress/array-indexof-prototype-trap.js: Added.
3596         (shouldBe):
3597         (DerivedArray.prototype.get 2):
3598         (DerivedArray):
3599
3600 2018-09-19  Saam barati  <sbarati@apple.com>
3601
3602         AI rule for MultiPutByOffset executes its effects in the wrong order
3603         https://bugs.webkit.org/show_bug.cgi?id=189757
3604         <rdar://problem/43535257>
3605
3606         Reviewed by Michael Saboff.
3607
3608         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3609         (foo):
3610         (Foo):
3611         (g):
3612
3613 2018-09-17  Mark Lam  <mark.lam@apple.com>
3614
3615         Ensure that ForInContexts are invalidated if their loop local is over-written.
3616         https://bugs.webkit.org/show_bug.cgi?id=189571
3617         <rdar://problem/44402277>
3618
3619         Reviewed by Saam Barati.
3620
3621         * stress/regress-189571.js: Added.
3622
3623 2018-09-17  Saam barati  <sbarati@apple.com>
3624
3625         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3626         https://bugs.webkit.org/show_bug.cgi?id=189676
3627         <rdar://problem/39682897>
3628
3629         Reviewed by Michael Saboff.
3630
3631         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3632         (A):
3633         (K):
3634         (i.catch):
3635
3636 2018-09-14  Saam barati  <sbarati@apple.com>
3637
3638         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3639         https://bugs.webkit.org/show_bug.cgi?id=189628
3640         <rdar://problem/39481690>
3641
3642         Reviewed by Mark Lam.
3643
3644         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3645         (foo):
3646
3647 2018-09-11  Mark Lam  <mark.lam@apple.com>
3648
3649         Test for array initialization in arrayProtoFuncSplice.
3650         https://bugs.webkit.org/show_bug.cgi?id=170253
3651         <rdar://problem/31328773>
3652
3653         Rubber-stamped by Saam Barati.
3654
3655         * stress/regress-170253.js: Added.
3656
3657 2018-09-11  Mark Lam  <mark.lam@apple.com>
3658
3659         Test for IntlObject initialization.
3660         https://bugs.webkit.org/show_bug.cgi?id=170251
3661         <rdar://problem/31328419>
3662
3663         Rubber-stamped by Saam Barati.
3664
3665         * stress/regress-170251.js: Added.
3666
3667 2018-09-11  Mark Lam  <mark.lam@apple.com>
3668
3669         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3670         https://bugs.webkit.org/show_bug.cgi?id=169889
3671         <rdar://problem/31155607>
3672
3673         Reviewed by Saam Barati.
3674
3675         * stress/regress-169889-array-concat.js: Added.
3676         * stress/regress-169889-array-concat1.js: Added.
3677         * stress/regress-169889-array-slice.js: Added.
3678
3679 2018-09-11  Mark Lam  <mark.lam@apple.com>
3680
3681         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3682         https://bugs.webkit.org/show_bug.cgi?id=169445
3683         <rdar://problem/30957435>
3684
3685         Reviewed by Saam Barati.
3686
3687         * stress/regress-169445.js: Added.
3688         (let.gun.eval.A):
3689         (let.gun.eval.B.C):
3690         (let.gun.eval.B.C.prototype.trigger):
3691         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3692         (let.gun.eval.B):
3693         (let.gun.eval):
3694
3695 == Rolled over to ChangeLog-2018-09-11 ==